Last active
August 10, 2024 18:53
-
-
Save amgdy/a70a43bc8fd104691f8dffc2fb05becc to your computer and use it in GitHub Desktop.
Shell script to create an Azure Network Security Group (NSG) for Azure API Management with the *external* VNet injection mode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Description: | |
| # This script creates an Azure Network Security Group (NSG) specifically for Azure API Management | |
| # configured with the "external" VNet injection mode. This mode allows access from both external | |
| # and internal sources. The script includes rules for API management, load balancing, storage access, | |
| # SQL database access, Key Vault access, and monitoring services. | |
| # | |
| # Usage: | |
| # The script will prompt for the Azure resource group name, location, and NSG name. | |
| # After entering the required information, the script will create the NSG and | |
| # apply the rules automatically. | |
| echo "---------------------------------------" | |
| echo "NSG Creation Script for Azure API Management - External vnet" | |
| echo "---------------------------------------" | |
| echo "This script creates an NSG for Azure API Management with the 'external' VNet injection mode." | |
| echo "You'll be prompted for the resource group name, location, and NSG name." | |
| echo "---------------------------------------" | |
| echo "" | |
| # Input variables | |
| read -p "Enter the resource group name: " resourceGroupName | |
| read -p "Enter the location: " location | |
| read -p "Enter the NSG name for external rules: " nsgExternal | |
| # Create NSG for External Rules | |
| az network nsg create --resource-group $resourceGroupName --name $nsgExternal --location $location | |
| # Add rules for External NSG | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-API-Management" \ | |
| --priority 100 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 80 443 \ | |
| --source-address-prefixes Internet --destination-address-prefixes VirtualNetwork --description "Client communication to API Management" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-Azure-Traffic-Manager" \ | |
| --priority 110 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 443 \ | |
| --source-address-prefixes Internet --destination-address-prefixes VirtualNetwork --description "Azure Traffic Manager routing for multi-region deployment" | |
| # Add rules for Internal & External NSG | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-API-Management-Internal" \ | |
| --priority 120 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 3443 \ | |
| --source-address-prefixes ApiManagement --destination-address-prefixes VirtualNetwork --description "Management endpoint for Azure portal and PowerShell" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-Load-Balancer" \ | |
| --priority 130 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 6390 \ | |
| --source-address-prefixes AzureLoadBalancer --destination-address-prefixes VirtualNetwork --description "Azure Infrastructure Load Balancer" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-Storage" \ | |
| --priority 140 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage --description "Dependency on Azure Storage for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-SQL" \ | |
| --priority 150 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1433 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes SQL --description "Access to Azure SQL endpoints for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-KeyVault" \ | |
| --priority 160 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureKeyVault --description "Access to Azure Key Vault for core service functionality" | |
| az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgExternal --name "Allow-Monitor" \ | |
| --priority 170 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1886 443 \ | |
| --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureMonitor --description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights" | |
| echo "External NSG with external rules created successfully!" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage Instructions:
To execute this script, you can run it directly from the Azure Cloud Shell or from any Bash environment where the Azure CLI is installed and you're logged in to your Azure account.
If you're using the Azure Cloud Shell, the Azure CLI is already pre-installed and configured, so you can simply copy and paste the following command to run the script:
bash <(curl -sL https://gist.github.com/amgdy/a70a43bc8fd104691f8dffc2fb05becc/raw/)