Introduction

In Azure, I have security group rules that allow access to everything from my public IP address. I have a rule for the office and another for home. For sensitive ports such as SSH and RDP, similar rules are the only ones that allow such access. I never allow the entire public Internet to be able to hammer away at these ports. I also create similar rules for HTTP and HTTPS when I am developing an API so that nobody can access these systems except for me.

At home, I have high-speed Internet. Great service but my public IP address changes often, sometimes several times per day. This means I must log in to the Azure Portal and update the security rule. This is simple to do, but I prefer to automate this kind of change. I wrote a Windows batch script to update my home allow rule. I set up Windows Task Scheduler to run this program automatically several times per day.

Preparation

Collect the following details about your account:

  • Resource Group name.
  • Network Security Group name.
  • Network Security Group rule name to update.
  • The jq command-line tool. [link]

If you do not have a security group rule to update, scroll to the bottom and I show you how to create a rule using the CLI.

For the Update Security Group Rule script below, we need values for several variables:

  • RESOURCE_GROUP
  • NSG_NAME
  • RULE_NAME

List Resource Group Names

Select a resource group and store the value in RESOURCE_GROUP.

az group list --query "[].name"

List Network Security Group Names

Select a network security group and store the value in NSG_NAME.

az network nsg list --resource-group %RESOURCE_GROUP% --query "[].name"

List Network Security Group Rule Names

Select a network security group rule and store the value in RULE_NAME.

This command does not show the default rules.

az network nsg rule list --resource-group %RESOURCE_GROUP% --nsg-name %NSG_NAME% --query "[].name"

List Network Security Group Rule Names, Direction, and Priority

Use this command to see the rule names, direction, and priority, including the default rules, formatted into a table.

az network nsg rule list --resource-group %RESOURCE_GROUP% --nsg-name %NSG_NAME% --include-default --query "[].{Name:name, Direction:direction Priority:priority}" --output table

The output will be similar to this:

Name                           Direction    Priority
-----------------------------  -----------  ----------
Home-All-Traffic               Inbound      100
http                           Inbound      110
https                          Inbound      120
AllowVnetInBound               Inbound      65000
AllowAzureLoadBalancerInBound  Inbound      65001
DenyAllInBound                 Inbound      65500
AllowVnetOutBound              Outbound     65000
AllowInternetOutBound          Outbound     65001
DenyAllOutBound                Outbound     65500

Update Security Group Rule

The following script will update the Source Address Prefixes of an existing security group rule. This script does not change any other values.

For a rule created similar to the one created later in this article by the “Create Network Security Group Rule” script, traffic will be allowed from the public IP address of the machine running the script.

This script calls the endpoint https://ipinfo.io which returns JSON. The CLI tool jq extracts the IP address.

Example data returned by ipinfo.io:

{
  "ip": "97.113.238.135",
  "hostname": "97-113-238-135.tukw.qwest.net",
  "city": "Seattle",
  "region": "Washington",
  "country": "US",
  "loc": "",
  "org": "AS209 CenturyLink Communications, LLC",
  "postal": "98111",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
}

Windows Script:

Copy the following script to a file. I use the name azure_update_fw_rule_home.bat. Then you can update the Azure network security group firewall rule with your current public IP address by just typing azure_update_fw_rule_home in a Windows Command Prompt. Using command completion means I do not have to type all characters of the file name.

@set RESOURCE_GROUP=REPLACE_ME
@set NSG_NAME=REPLACE_ME
@set RULE_NAME=REPLACE_ME
@set FILENAME=myip.txt

@curl -s https://ipinfo.io | jq -r ".ip"
@set /p MYIP=<%FILENAME%

az network nsg rule update ^
--resource-group %RESOURCE_GROUP% ^
--nsg-name %NSG_NAME% ^
--name %RULE_NAME% ^
--source-address-prefixes %MYIP%

Create Network Security Group Rule

If you do not already have a firewall rule to update, the following script will create a compatible rule allowing all traffic from the public IP address of the computer running this script.

Windows Script:

@set RESOURCE_GROUP=REPLACE_ME
@set NSG_NAME=REPLACE_ME
@set RULE_NAME=REPLACE_ME
@set RULE_PRIORITY=REPLACE_ME
@set FILENAME=myip.txt

@curl -s http://ipinfo.io | jq -r ".ip"
@set /p MYIP=<%FILENAME%

az network nsg rule create ^
--resource-group %RESOURCE_GROUP% ^
--nsg-name %NSG_NAME% ^
--name %RULE_NAME% ^
--direction Inbound ^
--priority %RULE_PRIORITY% ^
--source-address-prefixes %MYIP% ^
--source-port-ranges "*" ^
--destination-address-prefixes "*" ^
--destination-port-ranges "*" ^
--access Allow ^
--protocol Tcp ^
--description "Allow all access from home"

Future Ideas

This script could be easily run automatically by Windows Task Manager. Windows Central has a good article on how to set up a program to run automatically. Tip: This script uses the credentials from the Azure CLI. When you schedule the script to run, use your Windows user to run the program so that the stored Azure credentials can be used. Consider using an Azure Service Principal as well. On my system, I have the script scheduled to run at 6 AM, Noon, and 6 PM.

This is the script that I use with Windows Task Scheduler. The difference is that I added some logging so that I can check on success or failure.

Note: For the last line I redirect standard error to standard output using 2>&1 which is the same for Windows and Linux (Microsoft copied this from AT&T Unix).

How to Redirect stderr to stdout in Bash

@set RESOURCE_GROUP=REPLACE_ME
@set NSG_NAME=REPLACE_ME
@set RULE_NAME=REPLACE_ME

@set FILENAME=c:\tmp\myip.txt
@set LOGFILE=c:\bin\azure_update_home_fw_rule.log

@curl -s https://ipinfo.io | jq -r ".ip"
@set /p MYIP=&amp<%FILENAME% date /t >> %LOGFILE%
time /t >> %LOGFILE%
echo %MYIP% >> %LOGFILE%

az network nsg rule update ^
--resource-group %RESOURCE_GROUP% ^
--nsg-name %NSG_NAME% ^
--name %RULE_NAME% ^
--source-address-prefixes %MYIP% >> %LOGFILE% 2&>1

Photography Credits

I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Pixabay at Pexels.