Export All NSG Rules from All Azure Subscriptions With PowerShell

| ,

Published on | Updated on January 4, 2021

3 Min. Read

In this article, I will share with you how to export all Network Security Groups (NSG) rules from all Azure Subscriptions with Azure PowerShell.

Introduction

Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network, you can think of it as your traditional layer 4 firewall. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.

In this article, I will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) in all Azure subscriptions, and then export it to comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit all Network Security Group (NSG) rules that you have.

PowerShell script

Here is the script that will do the job for you:

<#
.Synopsis
A script used to export all NSGs rules in all your Azure Subscriptions

.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) in all your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.

.Notes
Created   : 2021-01-04
Version   : 1.0
Author    : Charbel Nemnom
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null
    $azSubName = $azSub.Name

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        # Export custom rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
            Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append
        
        # Export default rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg -Defaultrules | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
            Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append
      
    }    
}

From the example above, I am exporting the following information:

  • Network Security Group (NSG) Name
  • Network Security Group (NSG) Location
  • For each Network Security Group, I will export the custom rule, as well as the default rule:
    • Rule Name
    • Port Range
    • Access
    • Priority
    • Direction
      • Inbound
      • Outbound
  • Resource Group Name

Run the script

To run the script, you can either install the latest Azure PowerShell version on your machine, or jump over the Cloud Shell (https://shell.azure.com), or use the Azure Cloud Shell Connector in Windows Terminal.

Export All NSG Rules from All Azure Subscriptions With PowerShell 1

The report will be saved in the clouddrive path following the Azure Subscription name (-nsg-rules.csv).

Export All NSG Rules from All Azure Subscriptions With PowerShell 2

Switch to the cloud shell storage account and download the CSV files as shown in the figure below.

Export All NSG Rules from All Azure Subscriptions With PowerShell 3

And here is the final report showing in CSV format:

Export All NSG Rules from All Azure Subscriptions With PowerShell 4

Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell.

Summary

In this article, I showed you how to export all Network Security Groups (NSG) rules from all your Azure Subscriptions with Azure PowerShell.

Azure Cloud Shell is so powerful, you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks.

Learn more on how to get the list of Network Security Group with RDP port open.

This is version 1.0 of this tool, do you want additional features? Please feel free to leave a comment below.

Hope this helps!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Reflecting on 2020… Goodbye 2020 and Welcome 2021! #HappyNewYear

How To Export and Backup Azure Policy Definitions

Next

Leave a comment below...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Charbel Nemnom’s Blog

Get the latest posts delivered right to your inbox

The content of this website is copyrighted to not plagiarize content!

Please say hello to the author using this form for any script you like.

Thank you for visiting!