[Azure]使用Powershell输出某台ASM虚拟机的NSG和ACL



这个脚本用于输出ASM模式下虚拟机的NSG和ACL，对于多网卡虚拟机也同样适用。可以输出所有网络接口的NSG以及虚拟机所在子网的NSG。

脚本如下：

param(
    #The name of the subscription to take all the operations within. 
    [Parameter(Mandatory = $true)] 
    [string]$SubscriptionName, 

    # Cloud Service Name.
    [Parameter(Mandatory = $true)]
    [string]$ServiceName,
 
    # Virtual Machine Name.
    [Parameter(Mandatory = $true)]
    [string]$VMName
)

$cred = Get-Credential;
Add-AzureAccount -Environment AzureChinaCloud -Credential $cred;

Select-AzureSubscription -SubscriptionName $SubscriptionName;

Function PrintVirtualMachineNetworkSecurityRules($vm)
{
    $customRules = New-Object System.Collections.ArrayList;
    #$defaultRules = New-Object System.Collections.ArrayList;

    $duplicateNsgs = New-Object System.Collections.ArrayList;

    # collect ACLs
    $endpoints = $vm | Get-AzureEndpoint;
    foreach($endpoint in $endpoints)
    {
        foreach($aclRule in $endpoint.Acl.Rules)
        {
            $name = $aclRule.Description;
            if($name -eq "")    #Description is required currently, so skip
            {
                $name = ""
            }
            $vip = $endpoint.Vip;
            if($vip -eq $NULL)
            {
                $vip = "";
            }
            $customRules.Add(@{RuleName=$name; Protocol=$endpoint.Protocol; Source=$aclRule.RemoteSubnet; SourcePort="*"; Dest=$vip; DestPort=$endpoint.Port; Access=$aclRule.Action; Priority=$aclRule.Order; Direction="Inbound"; Catagory="Endpoint ACL";});
        }
    }

    # collect NSG associated with VM
    $nsgToVM = $vm | Get-AzureNetworkSecurityGroupAssociation;
    if(!$duplicateNsgs.Contains($nsgToVM.Name))
    {
        $duplicateNsgs.Add($nsgToVM.Name);
        $rules = $nsgToVM.Rules;
        foreach($rule in $rules)
        {
            $customRules.Add(@{RuleName=$rule.Name; Protocol=$rule.Protocol; Source=$rule.SourceAddressPrefix; SourcePort=$rule.SourcePortRange; Dest=$rule.DestinationAddressPrefix; DestPort=$rule.DestinationPortRange; Access=$rule.Action; Priority=$rule.Priority; Direction=$rule.Type; Catagory="VirtualMachine NSG";});
        }
    }

    # collect NSG associated with subnet of the VM
    $virtualNetworkName = $vm.VirtualNetworkName;
    if($virtualNetworkName -ne "")
    {
        foreach($networkConfiguration in $vm.VM.ConfigurationSets)
        {
            $subnetName = $networkConfiguration.SubnetNames[0];
            if($subnetName -ne "")
            {
                $nsg = Get-AzureNetworkSecurityGroupAssociation -VirtualNetworkName $virtualNetworkName -SubnetName $subnetName -Detailed;
                if(!$duplicateNsgs.Contains($nsg.Name))
                {
                    $duplicateNsgs.Add($nsg.Name);
                    $rules = $nsg.Rules;
                    foreach($rule in $rules)
                    {
                        $customRules.Add(@{RuleName=$rule.Name; Protocol=$rule.Protocol; Source=$rule.SourceAddressPrefix; SourcePort=$rule.SourcePortRange; Dest=$rule.DestinationAddressPrefix; DestPort=$rule.DestinationPortRange; Access=$rule.Action; Priority=$rule.Priority; Direction=$rule.Type; Catagory="Subnet NSG";});
                    }
                }
            }
        }
    }

    $customRules | select @{Name="Name"; Expression={$_["RuleName"]}}, @{Name="Protocol";Expression={$_["Protocol"]}}, @{Name="Source"; Expression={$_["Source"]}}, @{Name="SourcePort"; Expression={$_["SourcePort"]}}, @{Name="Dest"; Expression={$_["Dest"]}}, @{Name="DestPort"; Expression={$_["DestPort"]}}, @{Name="Access"; Expression={$_["Access"]}}, @{Name="Priority"; Expression={$_["Priority"]}}, @{Name="Direction"; Expression={$_["Direction"]}}, @{Name="Catagory"; Expression={$_["Catagory"]}} | Out-GridView;
}

$vm = Get-AzureVM -ServiceName $ServiceName -Name $VMName;
PrintVirtualMachineNetworkSecurityRules $vm;

调用方法：

[ASM]show_virtual_machine_network_rules.ps1 -SubscriptionName  -ServiceName  -VMName

输出结果：