The kusto query below will give you a list of all manually added security rules on all of your NSGs in all of your subnets. (Where you have access).
This is a great way to keep track of your vNets and subnets, what is allowed where…
You will get the following info from each NSG security rule:
Resource Group Name
Destination IP Prefix
Source IP Prefix
(Optional: SubscriptionId, extended.properties)
In my current Azure network, the count is around 200, in 75 different NSGs. Its not easy to keep track and find the ‘holes’ if you cannot get a good overview.
Use different sort or where clauses to filter and sort on what you are currently looking for, if you for example filter on
| where destport == ‘*’
you will see only the rules allowing traffic to any port.
| where destprefix == ‘*’
will list all rules allowing traffic to any ip address on the subnet, and so on.
Resources | where type =~ "microsoft.network/networksecuritygroups" | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubcriptionName=name, subscriptionId) on subscriptionId | where resourceGroup == 'production' or resourceGroup == 'testing' // Only if you don't want to see all, add more resourceGroups as needed: or resourceGroup == 'xxx' | mv-expand rules=properties.securityRules | extend direction = tostring(rules.properties.direction) | extend priority = toint(rules.properties.priority) | extend description = rules.properties.description | extend destprefix = rules.properties.destinationAddressPrefix | extend destport = rules.properties.destinationPortRange | extend sourceprefix = rules.properties.sourceAddressPrefix | extend sourceport = rules.properties.sourcePortRange | extend subnet_name = split((split(tostring(properties.subnets), '/')), '"') //| where destprefix == '*' | project SubcriptionName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description //, subscriptionId, rules.properties | sort by SubcriptionName, resourceGroup asc, name, direction asc, priority asc
4 thoughts on “List all NSG security rules in one query using Azure Resource Graph”
Thanks for sharing this, Thomas. It has been a great help to me.
Anytime, glad if it helped!
Is this destructive? What I mean is will it change anything in the NSG or anything like that?
No, it reads from the resource graph. Read-only.