Export All NSG Rules from All Azure Subscriptions with PowerShell

Updated – 27/09/2023 – The tool is updated to include the list of Protocols that are part of your NSG rules (Any, TCP, UDP, or ICMP).

Updated – 18/07/2023 – The tool now will export Network Security Groups (NSG) assignments for network interfaces and subnets. Please feel free to leave a comment below for additional improvement.

Updated – 25/05/2023 – If you are using Application Security Groups (ASG), the script was updated to support multiple ASGs in one NSG rule. Please feel free to leave a comment below for additional improvement.

Updated – 28/04/2021 – If you are using Application Security Groups (ASG), the script was updated to include the source and destination name of the Application Security Group (ASG) used with Network Security Groups (NSG). Please feel free to leave a comment below for additional improvement.

Updated – 12/03/2021 – The script now includes the source and destination addresses. Please feel free to leave a comment below for additional improvement.

In this article, we will share with you how to export all Network Security Groups (NSG) rules from all Azure subscriptions with Azure PowerShell.

Introduction

Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network, you can think of it as your traditional layer 4 Firewall. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.

In this article, we will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) in all Azure subscriptions, and then export it to a comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit all Network Security Group (NSG) rules you have.

Prerequisites

To follow this guide, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) You need one or more Network Security Group (NSG) rules.

3) If you want to run this tool locally, then make sure the Azure PowerShell (Az module) is installed locally on your machine.

You can use the following PowerShell command to install and update the “Az module”. You need the Az PowerShell module version 9.2.0 or later.

# Make sure you have the latest version of PowerShellGet installed
Install-Module -Name PowerShellGet -Force

# Install and update to the latest Az PowerShell module
Install-Module -Name Az -AllowClobber -Force

Assuming you have all the prerequisites in place, run the following PowerShell tool.

Export All NSG Rules using PowerShell

Here is the script that will do the job for you:

<#
.Synopsis
A script used to export all NSGs rules in all your Azure Subscriptions

.DESCRIPTION
A script is used to get the list of all Network Security Groups (NSGs) in all your Azure Subscriptions.
Finally, it will export the report into a CSV file in your Azure Cloud Shell storage or locally on your machine.

.Notes
Created   : 04-January-2021
Updated   : 27-September-2023
Version   : 3.6
Author    : Charbel Nemnom (MVP/MCT)
Twitter   : @CharbelNemnom
Blog      : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName) 
    if (Get-Module -ListAvailable -Name $ModuleName -Verbose:$false) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Install Az Network Module If Needed
Install-Module-If-Needed Az.Network

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null 
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!" 
    Break 
}

#! Get all Azure Subscriptions
$azSubs = Get-AzSubscription

#! Use the following if you want to select a specific Azure Subscription
$azSubs = Get-AzSubscription | Out-Gridview -PassThru -Title 'Select Azure Subscription'

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null
    $azSubName = $azSub.Name

    $azNsgs = Get-AzNetworkSecurityGroup | Where-Object {$_.Id -ne $NULL}
    
    foreach ( $azNsg in $azNsgs ) {
        # Export custom rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Source'; expression = { $_.SourceAddressPrefix } }, `
            @{label = 'Source Application Security Group'; expression = { foreach ($Asg in $_.SourceApplicationSecurityGroups) {$Asg.id.Split('/')[-1]} } }, `
            @{label = 'Source Port Range'; expression = { $_.SourcePortRange } }, Access, Priority, Direction, Protocol, `
            @{label = 'Destination'; expression = { $_.DestinationAddressPrefix } }, `
            @{label = 'Destination Application Security Group'; expression = { foreach ($Asg in $_.DestinationApplicationSecurityGroups) {$Asg.id.Split('/')[-1]} } }, `
            @{label = 'Destination Port Range'; expression = { $_.DestinationPortRange } }, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } }, `
            @{label = 'NIC Assignment Name'; expression = { $azNsg.NetworkInterfaces.Id.split('/')[-1] } }, `
            @{label = 'Subnet Assignment Name'; expression = { $azNsg.Subnets.Id.split('/')[-1] } } | `
            # Export to Azure Cloud Shell drive
            # Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append -force
            # Or you can use the following syntax to export to a single CSV file and to a local folder on your machine
            Export-Csv -Path ".\Azure-nsg-rules.csv" -NoTypeInformation -Append -force
        
        # Export default rules
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg -Defaultrules | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, `
            @{label = 'NSG Location'; expression = { $azNsg.Location } }, `
            @{label = 'Rule Name'; expression = { $_.Name } }, `
            @{label = 'Source'; expression = { $_.SourceAddressPrefix } }, `
            @{label = 'Source Port Range'; expression = { $_.SourcePortRange } }, Access, Priority, Direction, Protocol, `
            @{label = 'Destination'; expression = { $_.DestinationAddressPrefix } }, `
            @{label = 'Destination Port Range'; expression = { $_.DestinationPortRange } }, `
            @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } }, `
            @{label = 'NIC Assignment Name'; expression = { $azNsg.NetworkInterfaces.Id.split('/')[-1] } }, `
            @{label = 'Subnet Assignment Name'; expression = { $azNsg.Subnets.Id.split('/')[-1] } } | `
            # Export to Azure Cloud Shell drive
            # Export-Csv -Path "$($home)\clouddrive\$azSubName-nsg-rules.csv" -NoTypeInformation -Append -force
            # Or you can use the following syntax to export to a single CSV file and to a local folder on your machine
            Export-Csv -Path ".\Azure-nsg-rules.csv" -NoTypeInformation -Append -force
      
    }    
}

From the example above, we are exporting the following information:

• Network Security Group (NSG) Name
• Network Security Group (NSG) Location
• For each Network Security Group, we will export the custom rule, as well as the default rule:
  • Rule Name
  • Source address
  • Port Range
  • Access
  • Priority
  • Direction
    • Inbound
    • Outbound
  • Destination address
• Resource Group Name

Run the script

To run the script, you can either install the latest Azure PowerShell version on your machine, you can jump over the Cloud Shell (https://shell.azure.com), or use the Azure Cloud Shell Connector in Windows Terminal.

The report will be saved in the clouddrive path following the Azure Subscription name (-nsg-rules.csv).

Switch to the cloud shell storage account and download the CSV files as shown in the figure below.

And here is the final report is shown in CSV format:

Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell.

Summary

In this article, we showed you how to export all Network Security Groups (NSG) rules from all your Azure Subscriptions with Azure PowerShell.

Azure Cloud Shell is so powerful, that you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks.

Learn more on how to get the list of Network Security Group with RDP port open.

This is version 3.0 of this tool, do you want additional features? Please feel free to leave a comment below.

Hope this helps!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-