Update Azure-NSG (Network Security Group) Policy with PowerShell

 Prerequest: 

1. Install-Module -Name Az
2. Connect-AzAccount
3. NSG Name begin with OOOO_ (Notice there is a '_' after NSG Name)

Behavior:

1. Search the old NSG with 'NSG Name_'
2. Ensure there is only ONE NSG with 'NSG Name_'
3. Create a new NSG with 'NSG Name_' plus Date Time and priority start from 201 (can be adjust)
4. Check if the new NSG created successfully
5. Find All NICs connect to the Old NSG
6. Migrate All NICs found to the New NSG
7. Remove Old NSG

Sample:

1. Allow outbound connect to Azure WVD Service
2. Allow outbound connect to 192.168.0.1
3. Allow inbound connect from 192.168.0.1 only

---

Import-Module -Name Az

$NSG_Head = 'NSG-SomeName';

$Rule = New-Object System.Collections.ArrayList;

#Outbound Rule

    $Priority = 201;

    $Direction = "Outbound";

#Azure Service

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_AzureActiveDirectory" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_GatewayManager" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "GatewayManager" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_AzureActiveDirectoryDomainServices" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectoryDomainServices" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_WindowsVirtualDesktop" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "WindowsVirtualDesktop" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_AzureCloud" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureCloud" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_169.254.169.254" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "169.254.169.254/32" -DestinationPortRange *))

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Azure Service" -Name "Out_168.63.129.16" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "168.63.129.16/32" -DestinationPortRange *))

#Allow Server

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Out-192.168.0.1" -Name "Out-192.168.0.1" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "192.168.0.1/32" -DestinationPortRange *))

#Deny All

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "Out-Deny_All" -Name "Out-Deny_All" -Description "Deny All" -Access "Deny" -Protocol * -Direction $Direction -Priority 4096 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange *))

#InBound Rule

    $Priority = 201;

    $Direction = "Inbound";

#Allow Server

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "In-192.168.0.1" -Name "In-192.168.0.1" -Access "Allow" -Protocol * -Direction $Direction -Priority ($Priority++) -SourceAddressPrefix "192.168.0.1/32" -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange *))

#Deny All

$Rule.Add((New-AzNetworkSecurityRuleConfig -Description "In-Deny_All" -Name "In-Deny_All" -Description "Deny All" -Access "Deny" -Protocol * -Direction $Direction -Priority 4096 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange *))

#----- Process Sart

$FoundNSG = New-Object System.Collections.ArrayList;

$FoundNSG = $(Get-AzNetworkSecurityGroup | Where {$_.Name -like ($NSG_Head + '_*')} | Select Name,ResourceGroupName,Location);

if ($FoundNSG -ne $Null) {

if (@($FoundNSG).Count -eq 1) {

$OldNSG_Name = $FoundNSG.Name

$NewNSG_Name = ($NSG_Head + '_' + (Get-Date -Format 'yyyyMMdd_HHmmss'));

write-host ('OldNSG_Name: ' + $OldNSG_Name)

write-host ('NewNSG_Name: ' + $NewNSG_Name)

$OldNSG = (Get-AzNetworkSecurityGroup -Name $OldNSG_Name)

$NewNSG = New-AzNetworkSecurityGroup -ResourceGroupName $FoundNSG.ResourceGroupName -Location $FoundNSG.Location -Name $NewNSG_Name -SecurityRules $Rule -Force

if ($NewNSG -ne $Null) {

$OldNSG_InterfacesID = ((Get-AzNetworkSecurityGroup -Name $OldNSG_Name).NetworkInterfaces).Id

foreach ($InterfacesID in $OldNSG_InterfacesID) {

$Interface = Get-AzResource -ResourceId $InterfacesID;

$NIC_To_Modify = Get-AzNetworkInterface -Name $Interface.Name

$NIC_To_Modify.NetworkSecurityGroup = $NewNSG

$NIC_To_Modify | Set-AzNetworkInterface

};

Remove-AzNetworkSecurityGroup -Name $OldNSG_Name -Force

};

};

};