0

I want to list all the ports in inbound rules which are open for a VM using powershell.

I have found that Network Security groups are either attached to NIC or Vnets.

Can anyone share a script where i can see the inbound rules for a VM using powershell?

Tushar Raichand
  • 91
  • 3
  • 12

1 Answers1

0

Try the command as below, the $rule is what you want, you could check by $rule.Name. 

$rgs = (Get-AzResourceGroup).ResourceGroupName
foreach($rg in $rgs){

  $vms = (Get-AzVM -ResourceGroupName $rg).Name

  foreach($vm in $vms){

    $nicname = ((Get-AzVM -ResourceGroupName $rg -Name $vm).NetworkProfile.NetworkInterfaces.Id -split"/")[8]

    $nic = Get-AzResource -ResourceGroupName $rg -ResourceType Microsoft.Network/networkInterfaces -ResourceName "$nicname" -ApiVersion 2018-07-01
    $nsgnic = ($nic.properties.networkSecurityGroup.id -split"/")[8]

    $rulenic = (Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name $nsgnic).SecurityRules
    $ruledefault = (Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name $nsgnic).DefaultSecurityRules | Where-Object {$_.Direction -eq 'Inbound'}
    $rulenic1 = $rulenic + $ruledefault 


    $vnetname = (Get-AzNetworkInterface -ResourceGroupName $rg -Name $nicname).IpConfigurations.Subnet.Id.Split("/")[8]
    $subname = (Get-AzNetworkInterface -ResourceGroupName $rg -Name $nicname).IpConfigurations.Subnet.Id.Split("/")[10]



    $subnet = Get-AzResource -ResourceGroupName $rg -ResourceType Microsoft.Network/virtualNetworks/subnets -ResourceName "$vnetname/$subname" -ApiVersion 2018-07-01
    $nsgsub = ($subnet.properties.networkSecurityGroup.id -split"/")[8]
    $rulesub = (Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name $nsgsub).SecurityRules
    $ruledefault1 = (Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name $nsgsub).DefaultSecurityRules | Where-Object {$_.Direction -eq 'Inbound'}
    $rulsub1 = $rulesub + $ruledefault1


    $rule = $rulenic1 + $rulsub1
    Write-Output $rule.Name

  }


}

I test it in one resource group, for the whole subscription, just add a loop like above.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Script is trying to execute some NULL values. Receiving error for same Get-AzureRmNetworkSecurityGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At line:13 char:78 – Tushar Raichand Apr 18 '19 at 12:10
  • Also getting wrong output for some of the instances. – Tushar Raichand Apr 18 '19 at 12:11
  • @TusharRaichand Does the subnet of the VM has nsg? My sample is for NSGs attached to NIC and subnet, if the subnet does not have nsg, the `$rulenic1` is the result, unnecessary to add the `$rulsub1`. – Joy Wang Apr 18 '19 at 12:23
  • It might have or might not have a NSG. – Tushar Raichand Apr 18 '19 at 12:24
  • @TusharRaichand I ignored this point, you could just add an `if` statement to judge the `$nsgsub` , if null, skip, I have no PC to test for you now, you could try it first, it should work. – Joy Wang Apr 18 '19 at 12:34
  • Yes you are right it will work! But the data we are getting is still wrong. It seems logic is still wrong. For a instance wrong rules are showing up – Tushar Raichand Apr 18 '19 at 12:40
  • @TusharRaichand Seems to be wired, it works fine on my side, could you update the correct rule screenshot and the wrong result in your question, I will look into it tomorrow. – Joy Wang Apr 18 '19 at 12:46
  • @TusharRaichand May be I find the reason, my vm just has one NIC, maybe yours has several NICs, every NIC may have NSG. I missed the different scenarios, need to judge and loop them. – Joy Wang Apr 18 '19 at 12:57