这个脚本用于输出ASM模式下虚拟机的NSG和ACL,对于多网卡虚拟机也同样适用。可以输出所有网络接口的NSG以及虚拟机所在子网的NSG。
脚本如下:
param(
#The name of the subscription to take all the operations within.
[Parameter(Mandatory = $true)]
[string]$SubscriptionName,
# Cloud Service Name.
[Parameter(Mandatory = $true)]
[string]$ServiceName,
# Virtual Machine Name.
[Parameter(Mandatory = $true)]
[string]$VMName
)
$cred = Get-Credential;
Add-AzureAccount -Environment AzureChinaCloud -Credential $cred;
Select-AzureSubscription -SubscriptionName $SubscriptionName;
Function PrintVirtualMachineNetworkSecurityRules($vm)
{
$customRules = New-Object System.Collections.ArrayList;
#$defaultRules = New-Object System.Collections.ArrayList;
$duplicateNsgs = New-Object System.Collections.ArrayList;
# collect ACLs
$endpoints = $vm | Get-AzureEndpoint;
foreach($endpoint in $endpoints)
{
foreach($aclRule in $endpoint.Acl.Rules)
{
$name = $aclRule.Description;
if($name -eq "") #Description is required currently, so skip
{
$name = "<ACL>"
}
$vip = $endpoint.Vip;
if($vip -eq $NULL)
{
$vip = "<CloudSerivce Vip>";
}
$customRules.Add(@{RuleName=$name; Protocol=$endpoint.Protocol; Source=$aclRule.RemoteSubnet; SourcePort="*"; Dest=$vip; DestPort=$endpoint.Port; Access=$aclRule.Action; Priority=$aclRule.Order; Direction="Inbound"; Catagory="Endpoint ACL";});
}
}
# collect NSG associated with VM
$nsgToVM = $vm | Get-AzureNetworkSecurityGroupAssociation;
if(!$duplicateNsgs.Contains($nsgToVM.Name))
{
$duplicateNsgs.Add($nsgToVM.Name);
$rules = $nsgToVM.Rules;
foreach($rule in $rules)
{
$customRules.Add(@{RuleName=$rule.Name; Protocol=$rule.Protocol; Source=$rule.SourceAddressPrefix; SourcePort=$rule.SourcePortRange; Dest=$rule.DestinationAddressPrefix; DestPort=$rule.DestinationPortRange; Access=$rule.Action; Priority=$rule.Priority; Direction=$rule.Type; Catagory="VirtualMachine NSG";});
}
}
# collect NSG associated with subnet of the VM
$virtualNetworkName = $vm.VirtualNetworkName;
if($virtualNetworkName -ne "")
{
foreach($networkConfiguration in $vm.VM.ConfigurationSets)
{
$subnetName = $networkConfiguration.SubnetNames[0];
if($subnetName -ne "")
{
$nsg = Get-AzureNetworkSecurityGroupAssociation -VirtualNetworkName $virtualNetworkName -SubnetName $subnetName -Detailed;
if(!$duplicateNsgs.Contains($nsg.Name))
{
$duplicateNsgs.Add($nsg.Name);
$rules = $nsg.Rules;
foreach($rule in $rules)
{
$customRules.Add(@{RuleName=$rule.Name; Protocol=$rule.Protocol; Source=$rule.SourceAddressPrefix; SourcePort=$rule.SourcePortRange; Dest=$rule.DestinationAddressPrefix; DestPort=$rule.DestinationPortRange; Access=$rule.Action; Priority=$rule.Priority; Direction=$rule.Type; Catagory="Subnet NSG";});
}
}
}
}
}
$customRules | select @{Name="Name"; Expression={$_["RuleName"]}}, @{Name="Protocol";Expression={$_["Protocol"]}}, @{Name="Source"; Expression={$_["Source"]}}, @{Name="SourcePort"; Expression={$_["SourcePort"]}}, @{Name="Dest"; Expression={$_["Dest"]}}, @{Name="DestPort"; Expression={$_["DestPort"]}}, @{Name="Access"; Expression={$_["Access"]}}, @{Name="Priority"; Expression={$_["Priority"]}}, @{Name="Direction"; Expression={$_["Direction"]}}, @{Name="Catagory"; Expression={$_["Catagory"]}} | Out-GridView;
}
$vm = Get-AzureVM -ServiceName $ServiceName -Name $VMName;
PrintVirtualMachineNetworkSecurityRules $vm;
调用方法:
[ASM]show_virtual_machine_network_rules.ps1 -SubscriptionName <Subscription Name> -ServiceName <CloudService Name> -VMName <VM Name>
输出结果:
![[Azure]使用Powershell输出某台ASM虚拟机的NSG和ACL](https://image.shishitao.com:8440/aHR0cHM6Ly93d3cuaXRkYWFuLmNvbS9nby9hSFIwY0RvdkwybHRaeTVpYkc5bkxtTnpaRzR1Ym1WMEx6SXdNVGN3TWpJMk1qQXhOakEzTWpBMVAzZGhkR1Z5YldGeWF5OHlMM1JsZUhRdllVaFNNR05FYjNaTU1rcHpZakpqZFZrelRtdGlhVFYxV2xoUmRtTllaR3hqYmxJMVpGaENkbUZZVmpWa1NFazlMMlp2Ym5Rdk5XRTJURFZNTWxRdlptOXVkSE5wZW1Vdk5EQXdMMlpwYkd3dlNUQktRbEZyUmtOTlFUMDlMMlJwYzNOdmJIWmxMemN3TDJkeVlYWnBkSGt2UTJWdWRHVnk%3D.jpg?w=700&webp=1 "[Azure]使用Powershell输出某台ASM虚拟机的NSG和ACL")