public/Whitelist-AzureIPs.ps1
function Whitelist-AzureIPs { param ( [Parameter( HelpMessage = 'Specify the name of the Network Security Group.', Mandatory=$true )] [alias('nsgName')] [string]$NetworkSecurityGroupName, [Parameter( HelpMessage = 'Specify the name of the Resource Group that contains the NSG.', Mandatory = $true )] [alias('rgName')] [string]$ResourceGroupName, [Parameter( HelpMessage = 'Specify the priority of the new rule to be created.', Mandatory = $true )] [int]$priority, [Parameter( HelpMessage = 'Specify the name of the new rule to be created.', Mandatory = $false )] [string]$RuleName = 'Allow_Azure_IPs', [Parameter( HelpMessage = 'Specify the Azure Regions, for which you want to whitelist the public ip ranges.', Mandatory = $true )] [string[]]$AzureRegions ) Process { # check to see if local token exists (ran Login-AzureRMAccount), and that a valid subscription has been selected. if (($null -eq (Get-AzureRmContext).Account)) { throw "No authentication token found, run < Login-AzureRMAccount > to proceed...exiting." } if (($null -eq (Get-AzureRmContext).subscription)) { throw "No subscrition selected, run < Select-AzureRMSubscription -subscriptionID 'id of target subscription' >...exiting." } # Get target NSG try { $nsg = Get-AzureRmNetworkSecurityGroup -Name $NetworkSecurityGroupName -ResourceGroupName $ResourceGroupName -ErrorAction Stop -Verbose } catch { throw "Unable to retrieve NSG with error: $($error[0].Exception)" } # Get current IPs to whitelsit try { $ErrorActionPreference = 'Stop' $downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653" $downloadPage = Invoke-WebRequest -Uri $downloadUri -ErrorAction Stop -Verbose $xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0] $response = Invoke-WebRequest -Uri $xmlFileUri -ErrorAction Stop -Verbose [xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content) $regions = $xmlResponse.AzurePublicIpAddresses.Region $selectedRegions = $AzureRegions $ipRange = ($regions | Where-Object Name -in $selectedRegions).iprange.subnet [string[]]$ipList = @() $ipRange | ForEach-Object { $ipList += $_ } } catch { $error[0].Exception break } finally { $ErrorActionPreference = 'Continue' } try { $ruleParams = @{ Name = $RuleName; Direction = 'Outbound'; Priority = $priority; Access = 'Allow'; SourceAddressPrefix = '*'; SourcePortRange = '*'; DestinationPortRange = '443'; DestinationAddressPrefix = $ipList; Protocol = 'TCP' } $rule = $nsg | Add-AzureRmNetworkSecurityRuleConfig @ruleParams -ErrorAction Stop -Verbose $results = $rule | Set-AzureRmNetworkSecurityGroup -ErrorAction Stop -Verbose $results } catch { $error[0].Exception break } } # end process block } # end function |