這個腳本用于輸出ARM模式下虛拟機的NSG,對于多網卡虛拟機也同樣适用。可以輸出所有網絡接口的NSG以及虛拟機所在子網的NSG。
腳本如下:
param(
#The name of the subscription to take all the operations within.
[Parameter(Mandatory = $true)]
[string]$SubscriptionName,
# Resource Group Name.
[Parameter(Mandatory = $true)]
[string]$ResourceGroupName,
# Virtual Machine Name.
[Parameter(Mandatory = $true)]
[string]$VMName
)
$cred = Get-Credential;
Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $cred;
Select-AzureRmSubscription -SubscriptionName $SubscriptionName;
Function GetResourceNameFromResourceId($resourceId)
{
return $resourceId.Substring($resourceId.LastIndexOf('/')+1);
}
Function GetResourcePropertyFromResourceId($resourceId, $propertyName)
{
$propertyName = $propertyName + "/";
$rgName = $resourceId.Substring($resourceId.IndexOf($propertyName)+$propertyName.Length);
return $rgName.Substring(0, $rgName.IndexOf("/"));
}
Function PrintVirtualMachineNetworkSecurityRules($vm)
{
#loop all the network interfaces
$customRules = New-Object System.Collections.ArrayList;
#$defaultRules = New-Object System.Collections.ArrayList;
$duplicateRules = New-Object System.Collections.ArrayList;
foreach($nic in $vm.NetworkProfile.NetworkInterfaces)
{
# get network interface object
$nicId = $nic.Id;
$nicName = GetResourceNameFromResourceId $nicId;
$nicRgName = GetResourcePropertyFromResourceId $nicId "resourceGroups";
$interface = Get-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $nicRgName;
# get nsg for this network interface
$nicNsgId = $interface.NetworkSecurityGroup.Id;
if($nicNsgId -ne $NULL)
{
if(!$duplicateRules.Contains($nicNsgId))
{
$duplicateRules.Add($nicNsgId);
$nicNsgName = GetResourceNameFromResourceId $nicNsgId;
$nicNsgRgName = GetResourcePropertyFromResourceId $nicNsgId "resourceGroups";
$nicNsg = Get-AzureRmNetworkSecurityGroup -Name $nicNsgName -ResourceGroupName $nicNsgRgName;
$nicNsgCustomRules = $nicNsg.SecurityRules;
foreach($nicNsgCustomRule in $nicNsgCustomRules)
{
$customRules.Add(@{RuleName=$nicNsgCustomRule.Name; Protocol=$nicNsgCustomRule.Protocol; Source=$nicNsgCustomRule.SourceAddressPrefix; SourcePort=$nicNsgCustomRule.SourcePortRange; Dest=$nicNsgCustomRule.DestinationAddressPrefix; DestPortRange=$nicNsgCustomRule.DestinationPortRange; Access=$nicNsgCustomRule.Access; Priority=$nicNsgCustomRule.Priority; Direction=$nicNsgCustomRule.Direction; Catagory="Interface NSG";});
}
#$nicNsgDefaultRules = $nicNsg.DefaultSecurityRules;
#foreach($nicNsgDefaultRule in $nicNsgDefaultRules)
#{
# $customRules.Add(@{RuleName=$nicNsgDefaultRule.Name; Protocol=$nicNsgDefaultRule.Protocol; Source=$nicNsgDefaultRule.SourceAddressPrefix; SourcePort=$nicNsgDefaultRule.SourcePortRange; Dest=$nicNsgDefaultRule.DestinationAddressPrefix; DestPortRange=$nicNsgDefaultRule.DestinationPortRange; Access=$nicNsgDefaultRule.Access; Priority=$nicNsgDefaultRule.Priority; Direction=$nicNsgDefaultRule.Direction;});
#}
}
}
# get subnet object
$subnetId = $interface.IpConfigurations.Subnet.Id;
$subnetName = GetResourceNameFromResourceId $subnetId;
$subnetRgName = GetResourcePropertyFromResourceId $subnetId "resourceGroups";
$virtualNetworkName = GetResourcePropertyFromResourceId $subnetId "virtualNetworks";
$vnet = Get-AzureRmVirtualNetwork -Name $virtualNetworkName -ResourceGroupName $subnetRgName;
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet
# get nsg for the subnet
$subnetNsgId = $subnet.NetworkSecurityGroup.Id;
if($subnetNsgId -ne $NULL)
{
if(!$duplicateRules.Contains($subnetNsgId))
{
$duplicateRules.Add($subnetNsgId);
$subnetNsgName = GetResourceNameFromResourceId $subnetNsgId;
$subnetNsgRgName = GetResourcePropertyFromResourceId $subnetNsgId "resourceGroups";
$subnetNsg = Get-AzureRmNetworkSecurityGroup -Name $subnetNsgName -ResourceGroupName $subnetNsgRgName;
$subnetNsgCustomRules = $subnetNsg.SecurityRules;
foreach($subnetNsgCustomRule in $subnetNsgCustomRules)
{
$customRules.Add(@{RuleName=$subnetNsgCustomRule.Name; Protocol=$subnetNsgCustomRule.Protocol; Source=$subnetNsgCustomRule.SourceAddressPrefix; SourcePort=$subnetNsgCustomRule.SourcePortRange; Dest=$subnetNsgCustomRule.DestinationAddressPrefix; DestPortRange=$subnetNsgCustomRule.DestinationPortRange; Access=$subnetNsgCustomRule.Access; Priority=$subnetNsgCustomRule.Priority; Direction=$subnetNsgCustomRule.Direction; Catagory="Subnet NSG";});
}
#$subnetNsgDefaultRules = $subnetNsg.DefaultSecurityRules;
#foreach($subnetNsgDefaultRule in $subnetNsgDefaultRules)
#{
# $customRules.Add(@{RuleName=$subnetNsgDefaultRule.Name; Protocol=$subnetNsgDefaultRule.Protocol; Source=$subnetNsgDefaultRule.SourceAddressPrefix; SourcePort=$subnetNsgDefaultRule.SourcePortRange; Dest=$subnetNsgDefaultRule.DestinationAddressPrefix; DestPortRange=$subnetNsgDefaultRule.DestinationPortRange; Access=$subnetNsgDefaultRule.Access; Priority=$subnetNsgDefaultRule.Priority; Direction=$subnetNsgDefaultRule.Direction;});
#}
}
}
}
$customRules | select @{Name="Name"; Expression={$_["RuleName"]}}, @{Name="Protocol";Expression={$_["Protocol"]}}, @{Name="Source"; Expression={$_["Source"]}}, @{Name="SourcePort"; Expression={$_["SourcePort"]}}, @{Name="Dest"; Expression={$_["Dest"]}}, @{Name="DestPortRange"; Expression={$_["DestPortRange"]}}, @{Name="Access"; Expression={$_["Access"]}}, @{Name="Priority"; Expression={$_["Priority"]}}, @{Name="Direction"; Expression={$_["Direction"]}}, @{Name="Catagory"; Expression={$_["Catagory"]}} | Out-GridView;
}
$vm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $VMName;
PrintVirtualMachineNetworkSecurityRules $vm;
調用方法:
[ARM]show_virtual_machine_nsgs.ps1 -SubscriptionName <Subscription Name> -ResourceGroupName <ResourceGroupName> -VMName <VM Name>
輸出結果: