In Azure, I have security group rules that allow access to everything from my public IP address. I have a rule for the office and another for home. For sensitive ports such as SSH and RDP, similar rules are the only ones that allow such access. I never allow the entire public Internet to be able to hammer away at these ports. I also create similar rules for HTTP and HTTPS when I am developing an API so that nobody can access these systems except for me.

At home, I have high-speed Internet. Great service but my public IP address changes often, sometimes several times per day. This means I must log in to the Azure Portal and update the security rule. This is simple to do, but I prefer to automate this kind of change. I wrote a Windows batch script to update my home allow rule. I set up Windows Task Scheduler to run this program automatically several times per day.


Collect the following details about your account:

  • Resource Group name.
  • Network Security Group name.
  • Network Security Group rule name to update.
  • The jq command-line tool. [link]

If you do not have a security group rule to update, scroll to the bottom and I show you how to create a rule using the CLI.

For the Update Security Group Rule script below, we need values for several variables:


List Resource Group Names

Select a resource group and store the value in RESOURCE_GROUP.

List Network Security Group Names

Select a network security group and store the value in NSG_NAME.

List Network Security Group Rule Names

Select a network security group rule and store the value in RULE_NAME.

This command does not show the default rules.

List Network Security Group Rule Names, Direction, and Priority

Use this command to see the rule names, direction, and priority, including the default rules, formatted into a table.

The output will be similar to this:

Update Security Group Rule

The following script will update the Source Address Prefixes of an existing security group rule. This script does not change any other values.

For a rule created similar to the one created later in this article by the “Create Network Security Group Rule” script, traffic will be allowed from the public IP address of the machine running the script.

This script calls the endpoint which returns JSON. The CLI tool jq extracts the IP address.

Example data returned by

Windows Script:

Copy the following script to a file. I use the name azure_update_fw_rule_home.bat. Then you can update the Azure network security group firewall rule with your current public IP address by just typing azure_update_fw_rule_home in a Windows Command Prompt. Using command completion means I do not have to type all characters of the file name.

Create Network Security Group Rule

If you do not already have a firewall rule to update, the following script will create a compatible rule allowing all traffic from the public IP address of the computer running this script.

Windows Script:

Future Ideas

This script could be easily run automatically by Windows Task Manager. Windows Central has a good article on how to set up a program to run automatically. Tip: This script uses the credentials from the Azure CLI. When you schedule the script to run, use your Windows user to run the program so that the stored Azure credentials can be used. Consider using an Azure Service Principal as well. On my system, I have the script scheduled to run at 6 AM, Noon, and 6 PM.

This is the script that I use with Windows Task Scheduler. The difference is that I added some logging so that I can check on success or failure.

Note: For the last line I redirect standard error to standard output using 2>&1 which is the same for Windows and Linux (Microsoft copied this from AT&T Unix).

How to Redirect stderr to stdout in Bash

Photography Credits

I write free articles about technology. Recently, I learned about which provides free images. The image in this article is courtesy of Pixabay at Pexels.

Related Posts