Updated – 28/04/2021 – If you are using Application Security Groups (ASG), the script was updated to include the source and destination name of the Application Security Group (ASG) used with Network Security Groups (NSG). Please feel free to leave a comment below for additional improvement.
Updated – 12/03/2021 – The script was updated to include the source and destination addresses. Please feel free to leave a comment below for additional improvement.
In this article, we will share with you how to export all Network Security Groups (NSG) rules from all Azure subscriptions with Azure PowerShell.
Table of Contents
Introduction
Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network, you can think of it as your traditional layer 4 firewall. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.
In this article, I will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) in all Azure subscriptions, and then export it to a comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit all Network Security Group (NSG) rules that you have.
PowerShell script
Here is the script that will do the job for you:
<#
.Synopsis
A script used to export all NSGs rules in all your Azure Subscriptions
.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) in all your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.
.Notes
Created : 04-January-2021
Updated : 16-September-2021
Version : 3.1
Author : Charbel Nemnom
Twitter : @CharbelNemnom
Blog : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>
$azSubs = Get-AzSubscription
foreach ( $azSub in $azSubs ) {
Set-AzContext -Subscription $azSub | Out-Null
$azSubName = $azSub.Name
$azNsgs = Get-AzNetworkSecurityGroup
foreach ( $azNsg in $azNsgs ) {
# Export custom rules
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
@{label = 'NSG Location'; expression = { $azNsg.Location } }, `
@{label = 'Rule Name'; expression = { $_.Name } }, `
@{label = 'Source'; expression = { $_.SourceAddressPrefix } }, `
@{label = 'Source Application Security Group'; expression = { $_.SourceApplicationSecurityGroups.id.Split('/')[-1] } },
@{label = 'Source Port Range'; expression = { $_.SourcePortRange } }, Access, Priority, Direction, `
@{label = 'Destination'; expression = { $_.DestinationAddressPrefix } }, `
@{label = 'Destination Application Security Group'; expression = { $_.DestinationApplicationSecurityGroups.id.Split('/')[-1] } }, `
@{label = 'Destination Port Range'; expression = { $_.DestinationPortRange } }, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append -force
# Export default rules
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg -Defaultrules | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
@{label = 'NSG Location'; expression = { $azNsg.Location } }, `
@{label = 'Rule Name'; expression = { $_.Name } }, `
@{label = 'Source'; expression = { $_.SourceAddressPrefix } }, `
@{label = 'Source Port Range'; expression = { $_.SourcePortRange } }, Access, Priority, Direction, `
@{label = 'Destination'; expression = { $_.DestinationAddressPrefix } }, `
@{label = 'Destination Port Range'; expression = { $_.DestinationPortRange } }, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | `
Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append -force
# Or you can use the following option to export to a single CSV file and to a local folder on your machine
# Export-Csv -Path ".\Azure-nsg-rules.csv" -NoTypeInformation -Append -force
}
}From the example above, we are exporting the following information:
- Network Security Group (NSG) Name
- Network Security Group (NSG) Location
- For each Network Security Group, I will export the custom rule, as well as the default rule:
- Rule Name
- Source address
- Port Range
- Access
- Priority
- Direction
- Inbound
- Outbound
- Destination address
- Resource Group Name
Run the script
To run the script, you can either install the latest Azure PowerShell version on your machine, or jump over the Cloud Shell (https://shell.azure.com), or use the Azure Cloud Shell Connector in Windows Terminal.
The report will be saved in the clouddrive path following the Azure Subscription name (-nsg-rules.csv).
Switch to the cloud shell storage account and download the CSV files as shown in the figure below.
And here is the final report is shown in CSV format:
Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell.
Summary
In this article, I showed you how to export all Network Security Groups (NSG) rules from all your Azure Subscriptions with Azure PowerShell.
Azure Cloud Shell is so powerful, you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks.
Learn more on how to get the list of Network Security Group with RDP port open.
This is version 1.0 of this tool, do you want additional features? Please feel free to leave a comment below.
Hope this helps!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Does not work. All kinds of error messages specifically relating to Expressions are only allowed as the first element of a pipeline
Hello Brandon,
Thanks for your comment. Please note that I just tried it and it works flawlessly.
Please make sure that you copy the code correctly including the backtick (`) and pipes (|). Hope this helps.
HI Charbel
Where can I get a copy of this NSG script
Hello Everett, thanks for your comment.
Please note that you can copy this NSG script from the ‘Code Block’ in the black box here. Could you please confirm that you can copy it? It should work.
Great script! However, the output does not contain source and destination addresses which are crucial to have in any form of a backup copy.
Thank you Marek for the feedback, much appreciated! I have updated the script to include the source and destination addresses. Please check it and let me know if it works for you.
Under Export Default rules you have a single quotation mark instead of an apostrophe
@{label = ‘Source Port Range’;
Should be
@{label = ‘Source Port Range’;
Thank you Stephen for the feedback, much appreciated! I have updated it.
Awesome work! Is it possible to include VM/Network Interface/Subnet association with this script?
Thank you Harpreet for the feedback! Yes, it is possible to include VM/Network Interface/Subnet association with this script.
Great Script. Just what i needed. Thank you for sharing
Hello sir, thanks for the wonderful script , its running fine but it is not displaying the name of ASG in source and destination in NSG rule where we are using Application security group.. ( showing blank over there)
Thank you Deepak for the feedback, please note that I have updated the script to include the Application Security Group (ASG) name in the source and destination for each NSG rule used. Please give it a try and let me know if it works for you. Thanks!
I want to download json of all the NSG in given subscription using PowerShell or any other way.
Hello Suraj, thanks for your comment.
You could try to convert to JSON instead of Export-Csv as follows:
ConvertTo-Json -Depth 12 | Out-File "$($home)\clouddrive\$azSubName-nsg-rules.json"Hope this helps!
Thanks a lot Charbel, it has saved tons of time.
Hi Charbel, I have an export of NSG’s in CSV format which also have fields for “Source Hostname” and “Destination Hostname” which are not used in the NSG deployment but just to keep track of what hosts the source and destination IP’s are. (Used for IAC deployments). The problem is, we have found that several NSGs have been updated in the Azure portal and are different from our source code and when I extract from Azure I don’t have the “Source Hostname” and “Destination Hostname” info as it is not stored by Azure.
I want to compare what is in Azure with our repo files, do you have any suggestions on how I could do this? it is over 200 NSG files, thanks!
Hello Andre, thanks for the comment!
What I would suggest is to get an export from Azure using the PowerShell script as described in this article, and then get an export from your repo, then use the
Compare-Objectcmdlet to do the comparison (see the example here).Hope this helps!
This works flawlessly. Output contains all required information for NSG, thanks a lot.
Thank you, Arijit for the confirmation!
This is great. I’m also trying to pull the activity log and creator of inbound/outbound rules.
Thank you, Pallavi for the good feedback. I will take a note to include in an upcoming release. Thanks!
Wow!! This is great, thanks a lot!
Great script, thank you very much. Pulled out all the info I needed.
I have no clue about PowerShell and I wanted to ask is there a way to add a specific subscription instead of pulling all subscriptions NSG’s?
Hello Jack, thanks for the comment and feedback!
Yes of course you can do that, please add the desired specific subscription to the following variable ($azSubs) at the beginning of the script and it should work.
Hope this helps!