Network Security Group Ruleset to CSV

You may have a requirement from time-to-time to provide a copy of the current Network Security Group(s) rulset within your Azure subscription, in this blog I will show you how this can be be done via PowerShell

Lets have a look at a sample NSG created below

I am looking this ruleset to be in a .csv file.

Looking at the relevant PowerShell command below and output directly to .csv has some formatting issues. Shown below:-

$nsg = Get-AzNetworkSecurityGroup -Name "tamops-nsg" | Get-AzureRmNetworkSecurityRuleConfig

Example output of $nsg – shows rules in an array

PS C:UsersThomasDesktopscripts> $nsg


Name                                 : Rule1
Id                                   : /subscriptions/<subscription_id>/resourceGroups/tamopsnsg/providers/Microsoft.Network/networkSecurityGroup
                                       s/tamops-nsg/securityRules/Rule1
Etag                                 : W/"aad44fcb-7e51-4e43-8b49-cd07613302d2"
ProvisioningState                    : Succeeded
Description                          :
Protocol                             : *
SourcePortRange                      : {*}
DestinationPortRange                 : {3389}
SourceAddressPrefix                  : {}
DestinationAddressPrefix             : {VirtualNetwork}
SourceApplicationSecurityGroups      : [
                                         {
                                           "Id": "/subscriptions/<subscription_id>/resourceGroups/tamopsnsg/providers/Microsoft.Network/applicati
                                       onSecurityGroups/tamopsasg1"
                                         }
                                       ]
DestinationApplicationSecurityGroups : []
Access                               : Allow
Priority                             : 100
Direction                            : Inbound

Name                                 : Rule2
Id                                   : /subscriptions/<subscription_id>/resourceGroups/tamopsnsg/providers/Microsoft.Network/networkSecurityGroup
                                       s/tamops-nsg/securityRules/Rule2
Etag                                 : W/"aad44fcb-7e51-4e43-8b49-cd07613302d2"
ProvisioningState                    : Succeeded
Description                          :
Protocol                             : *
SourcePortRange                      : {*}
DestinationPortRange                 : {80}
SourceAddressPrefix                  : {192.168.0.1}
DestinationAddressPrefix             : {}
SourceApplicationSecurityGroups      : []
DestinationApplicationSecurityGroups : [
                                         {
                                           "Id": "/subscriptions/<subscription_id>/resourceGroups/tamopsnsg/providers/Microsoft.Network/applicati
                                       onSecurityGroups/tamopsasg2"
                                         }
                                       ]
Access                               : Allow
Priority                             : 110
Direction                            : Inbound

Output this directly to .csv has a formatting issue

Get-AzNetworkSecurityGroup -Name "tamops-nsg" | Get-AzNetworkSecurityRuleConfig | export-csv -Path "nsg-output.csv"

You will see several outputs showing:-

System.Collections.Generic.List`1[System.String]

To resolve this issue, I created a new [pscustomobject] and added the columns I wanted to display, full script is below:-

Notice -join has been used to split ports, addresses etc if there is >1 entry within each rule.

Additional rows can be added to [pscustomobject] if required as found in output from:-

 $nsg = Get-AzNetworkSecurityGroup -Name "tamops-nsg" | Get-AzureRmNetworkSecurityRuleConfig

PowerShell script:-

param(
    [Parameter(Mandatory=$true)][string]$NsgName,
    [Parameter(Mandatory=$true)][string]$CsvPathToSave
)

$nsg = Get-AzNetworkSecurityGroup -Name $NsgName | Get-AzNetworkSecurityRuleConfig

$NsgRuleSet = @()

foreach ($rule in $nsg) {

    $ASGGroupNameSource = $rule.SourceApplicationSecurityGroups.id -replace '.*/'
    $ASGGroupNameDestination = $rule.DestinationApplicationSecurityGroups.id -replace '.*/'
    
    $NsgRuleSet += (

        [pscustomobject]@{ 
                        RuleName =  $rule.Name; 
                        Priority = $rule.Priority; 
                        DestinationPortRange = "$($rule.DestinationPortRange -join ",")"; 
                        Protocol = $rule.Protocol;
                        SourceAddressPrefix = "$($rule.SourceAddressPrefix -join ", ")";
                        SourceApplicationSecurityGroups = $ASGGroupNameSource;
                        DestinationAddressPrefix = "$($rule.DestinationAddressPrefix -join ",")";
                        DestinationApplicationSecurityGroups = $ASGGroupNameDestination;
                        Direction = $rule.Direction;
                        Access = $rule.Access;
                        }

    )
} 

$NsgRuleSet | export-csv -Path "$($CsvPathToSave).csv"

Example run of script below:-

PS C:UsersThomasDesktopscripts> .nsg-to-xml.ps1

cmdlet nsg-to-xml.ps1 at command pipeline position 1
Supply values for the following parameters:
NsgName: tamops-nsg
CsvPathToSave: nsgscript-output.csv

As you can see from the above snippet, a readable format with no Systems.collection.xxx output

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s