Managing Azure firewall and digital networks with PowerShell

Utilizing Azure Portal, we will simply handle digital networks and firewall settings in any given Azure Storage Account, and we’ve got a short overview of the steps required to configure within the following part of this text. Nonetheless, our focus shall be making a Runbook utilizing Azure Automation to configure all Storage Accounts in any given subscription. All Storage Accounts shall be set to make use of all current digital networks on their safety, in addition to static public IPs.

The thought behind the automation is to point out how you could possibly implement compliance utilizing your online business necessities on this space.

Checking the firewall and digital community characteristic utilizing Azure Portal

Logged on the Azure Portal, choose the specified Storage Account, click on on Firewalls and digital networks. Within the new blade that opens up on the suitable aspect, we will flip it on by choosing Chosen networks after which add new or existent digital networks to the Storage Account. On the firewall part, add the IP addresses (all of them should be public) that may entry this Storage Account.

Azure firewall

Though it’s not a requirement, as a result of we will allow it mechanically from the Storage Account aspect, we will all the time configure the specified digital community to assist service endpoints by including it and choosing the subnets that shall be supported.

Azure firewall

When including a brand new digital community in any given Storage Account, we will see if the subnets shall be configured. When the knowledge service endpoint required is proven, then the method of including that particular subnet will set it on the digital community aspect as properly.

Azure firewall

Utilizing a script

Step one is to create a easy JSON file containing two items of data: IPAddressorRange and Motion. We’re going to save that JSON file in a Storage Account that we’re going to use a repository of our Azure Automation.

Within the Azure Runbook, we’ll create a SAS Token to entry the Storage Account for one hour. Then, we’re going to download the PublicIPs.json file to the machine that’s working the Azure Automation Runbook.

In the beginning of the script, we’ll load all of the Public IPs required and outline the endpoint by defining these two first strains of code. After that, we retailer all of the digital community in the identical geopolitical area (in our case, Canada is comprised of Canada Central and Canada East) within the $VNETs variable.

$JSONPublicIPs = Get-Content material -Uncooked -Path ((Get-Location).Path + “PublicIPs.json”) | ConvertFrom-Json
$vEndPoint = “Microsoft.Storage”
$VNETs = Get-AzVirtualNetwork | the place ($_.Location -eq “canadacentral”) -or ($_.location -eq “canadaeast”)
The following piece of code is to loop by the digital networks, discover their subnets, and configure them to assist Azure Storage endpoints.

ForEach ($SingleVNET in $VNETs) Get-AzVirtualNetworkSubnetConfig
ForEach ($SingleSubnet in $Subnets)
Msgbox “Updating Virtual Network:” $SingleVNET.Identify zero
$tmp = $SingleVNET

Now that each one the digital networks are supporting Storage Accounts endpoints, our first stage goes to retailer all Storage Accounts in a variable known as $StorageAccounts. We’re going to search for all storage accounts in our geopolitical area, the Storage Account supporting the Azure Automation, and any Storage Account being utilized by the system (if a storage account accommodates ms-resource-usage tag we’re going to skip it).

$StorageAccounts = Get-AzStorageAccount | The place-Object (($_.Tags.Keys -notcontains “ms-resource-usage”) -and ( ($_.Location -eq “canadacentral”) -or ($_.Location -eq “canadaeast”))) -and ($_.StorageAccountName -ne ’devopsstgaccount’)

The script is comprised of two phases. Within the first one we’re going to allow the firewall and configure all IP addresses that we’re gathering from the JSON file. The code additionally checks to see if there are invalid entries within the JSON recordsdata and clear up unused entries.

ForEach ($SingleStorageAccount in $StorageAccounts){
Msgbox “Updating Storage Account: ” $SingleStorageAccount.StorageAccountName zero
$tmp = Replace-AzStorageAccountNetworkRuleSet -ResourceGroupName $SingleStorageAccount.ResourceGroupName -Identify $SingleStorageAccount.StorageAccountName -DefaultAction Deny
If ($tmp) Msgbox “Storage Account (Default Action): ” “Configured to Deny (required when using Virtual Network” zero
$tmp = Replace-AzStorageAccountNetworkRuleSet -ResourceGroupName $SingleStorageAccount.ResourceGroupName -Identify $SingleStorageAccount.StorageAccountName -IPRule $JSONPublicIPs -ErrorVariable tmpErrorVar -ErrorAction SilentlyContinue
If ($tmp) Else

The second stage of the script is to loop by all Storage Accounts and for every storage account, all digital networks/subnets shall be checked in opposition to the Storage Account, and if they aren’t there already, they are going to be added.

ForEach ($SingleStorageAccount in $StorageAccounts){
Msgbox “Virtual Network Updates on the following Storage Account: ” $SingleStorageAccount.StorageAccountName zero
$tmpSTGRules = $null
$tmpStgRules = Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $SingleStorageAccount.ResourceGroupName -Identify $SingleStorageAccount.StorageAccountName
ForEach ($SingleVNET in $VNETs){
$Subnets = Get-AzVirtualNetwork -Identify $SingleVNET.Identify | Get-AzVirtualNetworkSubnetConfig
ForEach ($SingleSubnet in $Subnets)

Managing your Azure firewalls and digital networks: Tweaking and tags

On this article, we went by the method of managing Azure firewalls and digital networks in a Storage Account and use Azure Automation to implement safety in a whole subscription. Primarily based in your atmosphere, you might need to tweak which digital networks or Storage Accounts may have their safety configured by the script. We are able to try this effectively managing the question within the Storage Account and digital community variables. Keep in mind that tags are your good friend when automating stuff. You might even create a logic to learn a tag of a Storage Account to establish which digital community might be related.

You possibly can try all the script file here.

Featured picture: Shutterstock

Publish Views:

report this ad

Read Next

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *