Access Azure PAAS without internet access

Gerenate ARM NSG rules to allow access to an Azure Datacenter

Advertisements

In some Azure environments the organization limits the outbound internet traffic from their servers. There are scenarios where you need to access Azure PAAS services (blob storage, or Azure SQL database etc.). You have to block the access to the internet and enable access to the Azure IP ranges Microsoft reserved for a specific Azure datacenter. To be able to access the service I made a script that will generate the Network Security Groep Rules in ARM format to give access to Azure services.

image_thumb_4e371d20

To limit the access to the internet, you can add the following rule in your NSG (ARM format):

{
    "name": "NO-INTERNET-ACCESS",
    "properties": {
        "protocol": "*",
        "sourcePortRange": "*",
        "destinationPortRange": "*",
        "sourceAddressPrefix": "*",
        "destinationAddressPrefix": "Internet",
        "access": "Deny",
        "priority": 4000,
        "direction": "Outbound"
    }
}

The next step is to generate rules based on the list of Azure Datacenter IP ranges:

# Download current list of Azure Public IP ranges
# See this link for latest list</div>
$downloadUri =  "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"
$downloadPage = Invoke-WebRequest -Uri $downloadUri  -usebasicparsing
$xmlFileUri =   ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]
$response =     Invoke-WebRequest -Uri $xmlFileUri  -usebasicparsing

# Get list of regions & public IP ranges
[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)
$regions = $xmlResponse.AzurePublicIpAddresses.Region

# Select Azure regions for which to define NSG rules
$ipRange = ($regions | where-object Name -In 'europewest' ).IpRange
$nsgtemplates = @()
$rulePriority = 400
ForEach ($subnet in $ipRange.Subnet){
    $stringrule= @"
{
  "name": "_NAME",
  "properties": {
  "description": "_DESCRIPTION",
  "protocol": "_PROTOCOL",
  "sourcePortRange": "_SOURCEPORTRANGE",
  "destinationPortRange": "_DESTINATIONPORTRANGE",
  "sourceAddressPrefix": "_SOURCEADDRESSPREFIX",
  "destinationAddressPrefix": "_DESTINATIONADDRESSPREFIX",
  "access": "_ACCESS",
  "priority": _PRIORITY,
  "direction": "_DIRECTION"
 }
}
"@
    $ruleName = "Allow_Azure_Out_" + $subnet.Replace("/","-")
    $stringrule = $stringrule -Replace ("_NAME", $ruleName)
    $stringrule = $stringrule -Replace ("_DESCRIPTION", "Allow outbound to Azure $subnet" )
    $stringrule = $stringrule -Replace ("_PROTOCOL", '*')
    $stringrule = $stringrule -Replace ("_SOURCEPORTRANGE", '*')
    $stringrule = $stringrule -Replace ("_DESTINATIONPORTRANGE", '*')
    $stringrule = $stringrule -Replace ("_SOURCEADDRESSPREFIX", 'VirtualNetwork')
    $stringrule = $stringrule -Replace ("_DESTINATIONADDRESSPREFIX", "$subnet")
    $stringrule = $stringrule -Replace ("_ACCESS", 'Allow')
    $stringrule = $stringrule -Replace ("_PRIORITY", $rulePriority)
    $stringrule = $stringrule -Replace ("_DIRECTION", 'Outbound')
    $nsgtemplates += $stringrule
    $rulePriority++
}

$nsgtemplatesreplace = [string]::Join(',',$nsgtemplates)

$nsgtemplatesreplace

Now you have the rules for the specific datacenter (in this case Wet Europe) in the $nsgtemplatesreplace variable. Add them in the ARM template and you are ready to deploy by hand. Or when doing Infrastructure as Code, merge it in you build script with your ARM deployment template to always have the latest rules.

Some of the azure datacenters have more as 200 ip ranges. Then you have to raise the limit of the allowed number of NSG Rules to 400. Limits…

The script is based on the step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell which let you do this by powershell.

1 thought on “Access Azure PAAS without internet access”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s