Azure network security group/security rule - address_prefixes and port_ranges

Question

By the definition of Azure python SDK for SecurityRule class:

SecurityRule(protocol, source_address_prefix, destination_address_prefix, access, direction, id=None, description=None, source_port_range=None, destination_port_range=None, source_address_prefixes=None, destination_address_prefixes=None, source_port_ranges=None, destination_port_ranges=None, priority=None, provisioning_state=None, name=None, etag=None)

With source_address_prefixes and destination_port_ranges, we should be able to configure a list of CIDRS or port_ranges, but I can not find a way to check if the configuration is in.

Both portal and "get" do not show the prefixes or ranges.

score 1 · Answer 1 · answered Aug 24 '17 at 15:39

The two parameters you mentioned were added in 1.4.0 released yesterday, there is no sample yet on how to use them. However, you can achieve the same behavior with the former parameters:

async_security_rule = network_client.security_rules.create_or_update(
    self.group_name,
    security_group_name,
    new_security_rule_name,
    {
            'access':azure.mgmt.network.models.SecurityRuleAccess.allow,
            'description':'New Test security rule',
            'destination_address_prefix':'*',
            'destination_port_range':'123-3500',
            'direction':azure.mgmt.network.models.SecurityRuleDirection.outbound,
            'priority':400,
            'protocol':azure.mgmt.network.models.SecurityRuleProtocol.tcp,
            'source_address_prefix':'*',
            'source_port_range':'655',
    }
)
security_rule = async_security_rule.result()

security_rule = self.network_client.security_rules.get(
    self.group_name,
    security_group_name,
    security_rule.name
)
self.assertEqual(security_rule.name, new_security_rule_name)

You just have to use a - joined syntax on destination_port_range. You can also test that using the CLI 2.0, that use this SDK and has NSG commands.

An overview of Network client is available here: https://learn.microsoft.com/python/api/overview/azure/network

Feel free to create an issue on the tracker to ask for samples: https://github.com/Azure/azure-sdk-for-python/issues

To add to that, with the latest SDK, those parameters should now show up in a get call. `source/destination_port_ranges` simply accepts a list of accepted ports or port ranges. For example: `['80', '100-200']`. However, `*` can only be used with the standalone property and not in the list. `source/destination_address_prefixes` accepts a list of CIDR addresses, ex: `['10.0.0.0/24', '11.0.0.0/24']`. To use `*` or a tag (`Internet` or `VirtualNetwork` for example) you must use the singular property. They cannot be used in the list. — Travis Prescott, Aug 25 '17 at 22:52
Next week, CLI 2.0 will release which will allow you to see if these are configured using `nsg rule show`. In an upcoming release, the `nsg rule create/update` commands will be updated to allow you to set these. — Travis Prescott, Aug 25 '17 at 22:57

Azure network security group/security rule - address_prefixes and port_ranges

1 Answers1