1

I'm using the Azure JAVA SDK to deploy resources into Azure. I've gotten this to work with all of my resources (network, subnets, security groups, vms, vss, loadbalancers, etc).  However, the issue I am having is that I am unable to deploy my network security groups with defined network security rules with any syntax that I would consider to be dynamic.  I see that objects exist (such as SecurityRuleInner) in which I could define my rules This method, for example, builds a SecurityRuleInner with the necessary members set:

private SecurityRuleInner getSecurityRuleInner(MySecurityRuleData rule) {
    return new SecurityRuleInner()
            .withAccess(rule.getAccesType().get())
            .withDirection(rule.getAccessDirection().get())
            .withDestinationAddressPrefix(rule.getDestinationAddress())
            .withDestinationPortRange(rule.getDestinationPort())
            .withSourceAddressPrefix(rule.getSourceAddress())
            .withSourcePortRange(rule.getSourcePort())
            .withName(rule.getName())
            .withProtocol(rule.getProtocol().get())
            .withPriority(rule.getPriority());
}

(Note: The "MySecurityRuleData" object here is a POJO storing the information I need to make this rule.)

However, I can find no way to attach this SecurityRuleInner to my actual security groups that I'm creating, and, I cannot find a way to define security rules other than something like this:

private NetworkSecurityGroup addRuleAllowIn(NetworkSecurityGroup NSG, MySecurityRuleData rule) {
    return  NSG.update()
        .defineRule(rule.getName())
        .allowInbound()
        .fromAddress(rule.getSourceAddress())
        .fromPort(Integer.parseInt(rule.getSourcePort()))
        .toAnyAddress()
        .toAnyPort()
        .withAnyProtocol()
        .withPriority(100)
        .attach()
        .apply();
}

(Note: The "MySecurityRuleData" object here is a POJO storing the information I need to make this rule.)

Clearly, this is unacceptable, as I would need a method for each possibility (formAnyAddress, with a specific destination port, with a specific destination address, with specific source port would need 1 method, then any combination of those 4 possibilities would be its own method, too, and then I'd have to have control logic to determine which method to call)  That's obviously not good.  I can see in the beta versions of the SDK there were objects that you could define and attach to a network security group. Am I missing something here, or, is this syntax gone?

(also asked here: https://social.msdn.microsoft.com/Forums/en-US/93ab70fe-d96d-435c-8808-b8be2a1f4081/azure-deploy-network-security-group-with-dynamic-rules?forum=azureapimgmt)

Edit: For more clarity, please see the NetworkSecurityRule interface. Some examples of the getters from this:

NetworkSecurityRule s;
        s.access() //this is the TYPE of access - ALLOW or DENY
        s.direction() //this is the DIRECTION of the rule - INBOUD or OUTBOUND
        s.protocol() //this is the PROTOCOL (UDP, TCP or ANY)
        s.destinationAddressPrefix() //destination add

You can see that the syntax to use the .defineRule() methods set these internally, but, require a different method to be called to set them. For example, to define an inbound rule you call .allowInbound() or .denyInbound(). The SecurityRule itself then will set Direction to either INBOUND or OUTBOUND, determined by which of these you call, and will also set Access to ALLOW or DENY, again determined by which specific method you've called.
I cannot find either a constructor to accept ACCESS and DIRECTION, or a setter to send those values, which will create an object that can then be passed to Azure.

Joe
  • 52
  • 8
  • If my understanding is right, do you want to add a new rule for existing NSG(contain rules)? Maybe this [link](https://github.com/Azure-Samples/network-java-manage-network-security-group/blob/master/src/main/java/com/microsoft/azure/management/network/samples/ManageNetworkSecurityGroup.java) will help. – Shui shengbao Sep 29 '17 at 02:05
  • The purpose of this application is to deploy the entire environment - Network, Subnets, VMs, VSS, Loadbalancers, NetworkSecurityGroups which contain SecurityRules (Example may be that one of the NSG is for the web server. This NSG would have specific rules for that application. Another NSG would be for the management VM. This would allow SSH from specific locations, but SSH into all other equipment. Another NSG is the application server - and so forth). I'd like to have a method to dynamically define these rules (something like my first example), rather than the very specific example 2. – Joe Sep 29 '17 at 12:51
  • The link you've provided is certainly related, and, you can see from my second example that is the specific syntax I'm attempting to avoid. The problem here is that, to use that syntax, I would need a method for every possible combination of rules. 1 would be allow inbound, with any port, any protocol, to any port, to any address, from any address, 1 would be allow in, from any port, from some address, to any port, to any... etc. That would require at minimum 8 methods. I see no way to set the rule's internal "ACCESS", "DIRECTION" and those types of things that the other methods set. – Joe Sep 29 '17 at 12:55
  • @Joe: did you ever solve your problem? I have a similar challenge – Kurt Jun 25 '18 at 07:35

0 Answers0