我正在尝试读取ARM模式网络安全组中的现有规则,但奇怪的是SourceAddressPrefix属性 - 包含有关白名单IP范围的信息的属性 - 报告为布尔值(如,"字符串形式为True"或" False")。
我尝试使用Get-AzureRmNetworkSecurityGroup检索该论坛并阅读::SecurityRules媒体资源,并尝试$nsg | Get-AzureRmNetworkSecurityRuleConfig以及$nsg | Get-AzureRmNetworkSecurityRuleConfig -Name MyRule。在每种情况下,返回规则的SourceAddressPrefix都是" True"或"错误"。
如果没有该值,我无法判断是否已经存在我正在检查的IP的规则。只要名称和优先级不同,系统就可以让我使用相同的细节设置多个规则,因此我现在就创建重复项。
我认为这是某种安全性"功能"?有没有办法检索门户网站中显示的实际IP CIDR范围?
编辑 - 由于这个来来去去,我发布了完整的代码
代码抓取分配给$proxyResGrp中所有NIC的IP地址,并尝试在端口80和443的源资源组中将它们列入白名单。
proxyResGrp = "arr"
originResGrps = "int", "uat", "auth", "live"
elect-AzureRmSubscription -SubscriptionID $subscriptionId -ErrorAction SilentlyContinue -ErrorVariable err | Out-Null
f ( $err ) {
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionId -ErrorAction Stop | Out-Null
get the source IPs for the arr
proxyIPs = Get-AzureRmNetworkInterface -ResourceGroupName $proxyResGrp | % {
$_.IpConfigurations | % {
if ( $_.PublicIpAddress.Id -like '*Microsoft.Network/publicIPAddresses*' )
{
$ipAddress = Get-AzureRmResource -ResourceId ($_.PublicIpAddress.Id)
$ip = Get-AzureRmPublicIpAddress -ResourceGroupName $ipAddress.ResourceGroupName -Name $ipAddress.Name
return @{ IPAddress = $ip.IpAddress; Name = $_.Name }
}
}
}
get NSG for each source resourceGroup and add the inbound rules
originResGrps | % {
$originResGrp = $_
Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp | % {
# have to re-get the NSG for some reason
$nsg = $_
$nsg.SecurityRules | ? { $_.SourceAddressPrefix = $arrIP.IPAddress -and $_.DestinationPortRange -eq "80" }
$rules = $nsg.SecurityRules
$maxPriority = $rules | Sort Priority -Descending | select Priority -First 1 | % { $_.Priority }
$isChanged = $false
foreach ( $proxyIP in $proxyIPs )
{
# HTTP
# $rule = $rules | ? { $_.Name -eq "HTTP-$($arrIP.Name.ToUpper())" }
$rule = $rules | ? { $_.SourceAddressPrefix -eq $proxyIP.IPAddress -and $_.DestinationPortRange -eq "80" }
if ( ! $rule )
{
$maxPriority += 100
Write-Host "Creating a rule for HTTP-$($proxyIP.Name.ToUpper()) in nsg '$($nsg.Name)'" -ForegroundColor DarkGreen
# have to re-get the NSG for some reason
#Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp -Name $nsg.Name |
$nsg |
Add-AzureRmNetworkSecurityRuleConfig `
-Name "HTTP-$($proxyIP.Name.ToUpper())" `
-Protocol Tcp `
-SourceAddressPrefix $proxyIP.IPAddress `
-SourcePortRange "*" `
-DestinationAddressPrefix "*" `
-DestinationPortRange "80" `
-Access Allow `
-Direction Inbound `
-Priority $maxPriority
# Set-AzureRmNetworkSecurityGroup |
# Out-Null
$isChanged = $true
}
else
{
Write-Host "Rule for HTTP-$($proxyIP.Name.ToUpper()) already exists in nsg '$($nsg.Name)'" -ForegroundColor DarkYellow
}
# HTTPS
# $rule = $rules | ? { $_.Name -eq "HTTPS-$($arrIP.Name.ToUpper())" }
$rule = $rules | ? { $_.SourceAddressPrefix -eq $proxyIP.IPAddress -and $_.DestinationPortRange -eq "443" }
if ( ! $rule )
{
$maxPriority += 100
Write-Host "Creating a rule for HTTPS-$($proxyIP.Name.ToUpper()) in nsg '$($nsg.Name)'" -ForegroundColor DarkGreen
# have to re-get the NSG for some reason
#Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp -Name $nsg.Name |
$nsg |
Add-AzureRmNetworkSecurityRuleConfig `
-Name "HTTPS-$($proxyIP.Name.ToUpper())" `
-Protocol Tcp `
-SourceAddressPrefix $proxyIP.IPAddress `
-SourcePortRange "*" `
-DestinationAddressPrefix "*" `
-DestinationPortRange "443" `
-Access Allow `
-Direction Inbound `
-Priority $maxPriority
# Set-AzureRmNetworkSecurityGroup |
# Out-Null
$isChanged = $true
}
else
{
Write-Host "Rule for HTTPS-$($proxyIP.Name.ToUppeR()) already exists in nsg '$($proxyIP.Name)'" -ForegroundColor DarkYellow
}
}
if ( $isChanged )
{
Write-Host "Updating $($nsg.Name)" -ForegroundColor Green
$nsg | Set-AzureRmNetworkSecurityGroup
}
}
答案 0 :(得分:0)
所以这对我有用:
$a = Get-AzureRmNetworkSecurityGroup -Name $NSG_Name -ResourceGroupName $RG_Name
PS C:\WINDOWS\system32> $a.SecurityRules[1].sourceaddressprefix
10.0.0.0/23
PS C:\WINDOWS\system32> $a.SecurityRules[0].sourceaddressprefix
*
我建议你更新你的powershell模块。