Copy Security Rules From One Azure Network Security Group To Another Using PowerShell


Network Security Group

Azure Network Security Group is used to manage the flow of the network traffic and the direction as well, besides the default inbound and outbound security rules there can be none or many security rules to define the security within in the Azure Virtual Network.

Purpose of copying Security Rules

There are many scenarios where you need to clone Network Security Group and its security rules to a new Network Security Group or copy the security rules to an existing Network Security Group, it could be as part of the migration, testing, cloning the same security measures for different project, or for a disaster recovery site and etc.,

You can’t move the Network Security Group from one region to an another. You can only use the method of copy, paste and delete.

Copy Security Rules using PowerShell

I have created a PowerShell script to copy the security rules from one Network Security Group to another and also it has some other abilities like…

  • Copy security rules from one Network Security Group to another.
  • Creates a new Network Security Group and copy the security rules.
  • Accepts the Network Security Group by name or as an object as well.
  • By default the script merges the security rules, and it has an option to overwrite the existing NSG security rules.

Code

 View the code in GitHub  

Syntax

This function will accept the following Parameter Sets…

Copy-AzNSGSecurityRules -SourceResourceGroupName <string> -SourceNSGName <string> -TargetResourceGroupName <string> -TargetNSGName <string> [<CommonParameters>]

Copy-AzNSGSecurityRules -SourceResourceGroupName <string> -SourceNSGName <string> -TargetResourceGroupName <string> -TargetNSGName <string> -TargetLocation <string> [<CommonParameters>]

Copy-AzNSGSecurityRules -SourceNSG <psobject> -TargetResourceGroupName <string> -TargetNSGName <string> -TargetLocation <string> [<CommonParameters>]

Copy-AzNSGSecurityRules -SourceNSG <psobject> -TargetNSG <psobject> [-Overwrite] [<CommonParameters>]

Example 01

To copy security rules from the existing source NSG to existing target NSG using NSG name…

PS C:\> . .\Scripts\Copy-AzNSGSecurityRules.ps1
PS C:\> Copy-AzNSGSecurityRules -SourceResourceGroupName 'rg1' -SourceNSGName 'nsg1' -TargetResourceGroupName 'rg2' -TargetNSGName 'nsg2'

Output:

Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

Example 02

To create a new NSG and then copy security rules from the existing source NSG

PS C:\> . .\Scripts\Copy-AzNSGSecurityRules.ps1
PS C:\> Copy-AzNSGSecurityRules -SourceResourceGroupName 'rg1' -SourceNSGName 'nsg1' -TargetNSGName 'nsg2' -TargetResourceGroupName 'rg2' -TargetLocation 'southindia'

Output:

New NSG 'nsg2' has been created in resource group 'rg2' in 'southindia' location.
Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

If the target NSG is already existed…

The NSG 'nsg2' is already existed, so vomiting the '-TagetLocation' parameter value and skiping the NSG creation.
Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

Example 03

To copy security rules from the existing source NSG to existing target NSG (When direct NSG objects are provided)

PS C:\> . .\Scripts\Copy-AzNSGSecurityRules.ps1
PS C:\> $nsg1 = Get-AzNetworkSecurityGroup -ResourceGroupName 'rg1' -Name 'nsg1'
PS C:\> $nsg2 = Get-AzNetworkSecurityGroup -ResourceGroupName 'rg2' -Name 'nsg2'
PS C:\> Copy-AzNSGSecurityRules -SourceNSG $nsg1 -TargetNSG $nsg2

Output:

Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

Example 04

To create a new NSG and then copy security rules from the existing source NSG (When direct source NSG object is provided)

PS C:\> . .\Scripts\Copy-AzNSGSecurityRules.ps1
PS C:\> $nsg1 = Get-AzNetworkSecurityGroup -ResourceGroupName 'rg1' -Name 'nsg1'
PS C:\> Copy-AzNSGSecurityRules -SourceNSG $nsg1 -TargetNSGName 'nsg2' -TargetResourceGroupName 'rg2' -TargetLocation 'southindia'

Output:

New NSG 'nsg2' has been created in resource group 'rg2' in 'southindia' location.
Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

If the target NSG is already existed…

The NSG 'nsg2' is already existed, so vomiting the '-TagetLocation' parameter value and skiping the NSG creation.
Following 2 security rule(s) is/are copied from source NSG 'rg1\nsg1' to target NSG 'rg2\nsg2'
Deny_Internet, Allow_SqlServer

Code

 View the code in GitHub  
Share it on     |   |   |   | 
  Prev:  

Find Azure Resources By Tags Using PowerShell

comments powered by Disqus