«

»

Jun 24

Using Pulumi to Create Azure Network Security Groups

Constants class used in the example code below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
public class Constants
{
        public const string SKUSTANDARD = "Standard";
        public const string SKUBASIC = "Basic";
        public const string IPVERSION4 = "IPv4";
        public const string STATIC = "Static";
        public const string DYNAMIC = "Dynamic";
 
        public const string ALL = "*";
        public const string TCP = "TCP";
        public const string UDP = "UDP";
        public const string ALLOW = "Allow";
 
        public const string VIRTUALAPPLIANCE = "VirtualAppliance";
        public const string VIRTUALNETWORKGATEWAY = "VirtualNetworkGateway";
 
        public const string PREMIUM_LRS = "Premium_LRS";
        public const string LRS = "LRS";
 
        public const string STORAGEACCOUNT_BLOB = "BlobStorage";
        public const string STORAGEACCOUNT_BLOCKBLOB = "BlockBlobStorage";
        public const string STORAGEACCOUNT_FILE = "FileStorage";
        public const string STORAGEACCOUNT_STORAGE = "Storage";
        public const string STORAGEACCOUNT_STORAGEV2 = "StorageV2";
        public const string STORAGEACCOUNT_DEFAULT = "StorageV2";
}

This code creates a few NSG rules. Then creates a Network Security Group. Then associates to subnet Web.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
class ExampleNsgRules
{
        private readonly string _location;
        private readonly ResourceGroup _resourceGroup;
        private readonly Dictionary<string, Subnet> _subnets;
 
        public ExampleNsgRules(string location, ResourceGroup resourceGroup, Dictionary<string, Subnet> subnets)
        {
            _location = location;
            _resourceGroup = resourceGroup;
            _subnets = subnets;
        }
 
        public void BuildWebNSG(string nsgName)
        {
            var nsgRuleWebServers = new NetworkSecurityGroupSecurityRuleArgs
            {
                Access = "Allow",
                DestinationAddressPrefixes = new[] { "10.20.1.10", "10.20.1.11", "10.20.1.12", "10.20.1.13" },
                DestinationPortRanges = new[] { "80" },
                Protocol = Constants.TCP,
                SourcePortRange = Constants.ALL,
                Name = "WebAccess",
                Direction = "Inbound",
                Priority = 200
            };
 
            //only allow access to DB servers from web servers
            var nsgRuleWebToDb = new NetworkSecurityGroupSecurityRuleArgs
            {
                Access = "Allow",
                DestinationAddressPrefixes = new[] { "10.20.2.10", "10.20.2.11"},
                DestinationPortRanges = new[] { "1433" },
                Protocol = Constants.UDP,
                SourcePortRange = Constants.ALL,
                Name = "DatabaseAccess",
                SourceAddressPrefixes = new[] { "10.20.1.10", "10.20.1.11", "10.20.1.12", "10.20.1.13" },
                Direction = "Inbound",
                Priority = 210
            };
 
            //restrict SSH access to web servers to specified IP sources
            var nsgRuleWebServersSSH = new NetworkSecurityGroupSecurityRuleArgs
            {
                Access = "Allow",
                DestinationAddressPrefixes = new[] { "10.20.1.10", "10.20.1.11", "10.20.1.12", "10.20.1.13" },
                DestinationPortRanges = new[] { "22" },
                Protocol = Constants.TCP,
                SourcePortRanges = new[] { "10.20.20.5", "10.20.20.6" },
                Name = "WebAccess",
                Direction = "Inbound",
                Priority = 220
            };
 
            var rules = new List<NetworkSecurityGroupSecurityRuleArgs> { nsgRuleWebServers, nsgRuleWebToDb };
 
            var nsg = new NetworkSecurityGroup(nsgName, new NetworkSecurityGroupArgs()
            {
                ResourceGroupName = _resourceGroup.Name,
                Location = _location,
                SecurityRules = rules
            });
 
            new SubnetNetworkSecurityGroupAssociation("webNsgAssociation", new SubnetNetworkSecurityGroupAssociationArgs
            {
                NetworkSecurityGroupId = nsg.Id,
                SubnetId = _subnets["Web"].Id
            });
        }
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

hublot replica | replica watches | cartier replica sale | breitling replica sale