In some Azure environments the organization limits the outbound internet traffic from their servers. There are scenarios where you need to access Azure PAAS services (blob storage, or Azure SQL database etc.). You have to block the access to the internet and enable access to the Azure IP ranges Microsoft reserved for a specific Azure datacenter. To be able to access the service I made a script that will generate the Network Security Groep Rules in ARM format to give access to Azure services.
To limit the access to the internet, you can add the following rule in your NSG (ARM format):
{
"name": "NO-INTERNET-ACCESS",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "Internet",
"access": "Deny",
"priority": 4000,
"direction": "Outbound"
}
}
The next step is to generate rules based on the list of Azure Datacenter IP ranges:
# Download current list of Azure Public IP ranges
# See this link for latest list</div>
$downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"
$downloadPage = Invoke-WebRequest -Uri $downloadUri -usebasicparsing
$xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]
$response = Invoke-WebRequest -Uri $xmlFileUri -usebasicparsing
# Get list of regions & public IP ranges
[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)
$regions = $xmlResponse.AzurePublicIpAddresses.Region
# Select Azure regions for which to define NSG rules
$ipRange = ($regions | where-object Name -In 'europewest' ).IpRange
$nsgtemplates = @()
$rulePriority = 400
ForEach ($subnet in $ipRange.Subnet){
$stringrule= @"
{
"name": "_NAME",
"properties": {
"description": "_DESCRIPTION",
"protocol": "_PROTOCOL",
"sourcePortRange": "_SOURCEPORTRANGE",
"destinationPortRange": "_DESTINATIONPORTRANGE",
"sourceAddressPrefix": "_SOURCEADDRESSPREFIX",
"destinationAddressPrefix": "_DESTINATIONADDRESSPREFIX",
"access": "_ACCESS",
"priority": _PRIORITY,
"direction": "_DIRECTION"
}
}
"@
$ruleName = "Allow_Azure_Out_" + $subnet.Replace("/","-")
$stringrule = $stringrule -Replace ("_NAME", $ruleName)
$stringrule = $stringrule -Replace ("_DESCRIPTION", "Allow outbound to Azure $subnet" )
$stringrule = $stringrule -Replace ("_PROTOCOL", '*')
$stringrule = $stringrule -Replace ("_SOURCEPORTRANGE", '*')
$stringrule = $stringrule -Replace ("_DESTINATIONPORTRANGE", '*')
$stringrule = $stringrule -Replace ("_SOURCEADDRESSPREFIX", 'VirtualNetwork')
$stringrule = $stringrule -Replace ("_DESTINATIONADDRESSPREFIX", "$subnet")
$stringrule = $stringrule -Replace ("_ACCESS", 'Allow')
$stringrule = $stringrule -Replace ("_PRIORITY", $rulePriority)
$stringrule = $stringrule -Replace ("_DIRECTION", 'Outbound')
$nsgtemplates += $stringrule
$rulePriority++
}
$nsgtemplatesreplace = [string]::Join(',',$nsgtemplates)
$nsgtemplatesreplace
Now you have the rules for the specific datacenter (in this case Wet Europe) in the $nsgtemplatesreplace variable. Add them in the ARM template and you are ready to deploy by hand. Or when doing Infrastructure as Code, merge it in you build script with your ARM deployment template to always have the latest rules.
Some of the azure datacenters have more as 200 ip ranges. Then you have to raise the limit of the allowed number of NSG Rules to 400. Limits…
The script is based on the step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell which let you do this by powershell.
{ Think Rethink } 
Thanks for such useful! I take a look at your blog it’s really great. Keep up the good work.
LikeLiked by 1 person