In this article, I will share with you how to export all Network Security Groups (NSG) rules from all Azure Subscriptions with Azure PowerShell.

Contents of this Article

Introduction

Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network, you can think of it as your traditional layer 4 firewall. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.

In this article, I will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) in all Azure subscriptions, and then export it to comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit all Network Security Group (NSG) rules that you have.

PowerShell script

Here is the script that will do the job for you:

<#
.Synopsis
A script used to export all NSGs rules in all your Azure Subscriptions

.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) in all your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.

.Notes
Created   : 2021-01-04
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null
    $azSubName = $azSub.Name

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        # Export custom rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
            Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append
        
        # Export default rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg -Defaultrules | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
            Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append
      
    }    
}

From the example above, I am exporting the following information:

Network Security Group (NSG) Name
Network Security Group (NSG) Location
For each Network Security Group, I will export the custom rule, as well as the default rule:
- Rule Name
- Port Range
- Access
- Priority
- Direction
  - Inbound
  - Outbound
Resource Group Name