Last active
August 10, 2024 18:52
-
-
Save amgdy/71cc1cc299a283731699bbcb44a3a592 to your computer and use it in GitHub Desktop.
Shell script to create an Azure Network Security Group (NSG) for Azure API Management with the internal VNet injection mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Description: | |
| # This script creates an Azure Network Security Group (NSG) specifically for Azure API Management | |
| # configured with the "internal" VNet injection mode. This mode allows access only from internal | |
| # sources. The script includes rules for load balancing, storage access, SQL database access, | |
| # Key Vault access, and monitoring services. | |
| # | |
| # Usage: | |
| # The script will prompt for the Azure resource group name, location, and NSG name. | |
| # After entering the required information, the script will create the NSG and | |
| # apply the rules automatically. | |
| echo "---------------------------------------" | |
| echo "NSG Creation Script for Azure API Management - Internal vnet integration" | |
| echo "---------------------------------------" | |
| echo "This script creates an NSG for Azure API Management with the 'internal' VNet injection mode." | |
| echo "You'll be prompted for the resource group name, location, and NSG name." | |
| echo "---------------------------------------" | |
| echo "" | |
| # Input variables | |
| read -p "Enter the resource group name: " resourceGroupName | |
| read -p "Enter the location: " location | |
| read -p "Enter the NSG name for internal rules: " nsgInternal | |
| # Create NSG for Internal Only | |
| az network nsg create --resource-group $resourceGroupName --name $nsgInternal --location $location | |
| # Add rules to Internal Only NSG | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Load-Balancer" \ | |
| --priority 130 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 6390 \ | |
| --source-address-prefixes AzureLoadBalancer --destination-address-prefixes VirtualNetwork --description "Azure Infrastructure Load Balancer" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Storage" \ | |
| --priority 140 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage --description "Dependency on Azure Storage for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-SQL" \ | |
| --priority 150 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1433 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes SQL --description "Access to Azure SQL endpoints for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-KeyVault" \ | |
| --priority 160 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureKeyVault --description "Access to Azure Key Vault for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Monitor" \ | |
| --priority 170 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1886 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureMonitor --description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights" | |
| echo "Internal-only NSG created successfully!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage Instructions:
To execute this script, you can run it directly from the Azure Cloud Shell or from any Bash environment where the Azure CLI is installed and you're logged in to your Azure account.
If you're using the Azure Cloud Shell, the Azure CLI is already pre-installed and configured, so you can simply copy and paste the following command to run the script:
bash <(curl -sL https://gist.github.com/amgdy/71cc1cc299a283731699bbcb44a3a592/raw/)