List all NSG security rules in one query using Azure Resource Graph

Azure, Host pool, Windows Virtual Desktop 1 Minute

azure

The kusto query below will give you a list of all manually added security rules on all of your NSGs in all of your subnets. (Where you have access).
This is a great way to keep track of your vNets and subnets, what is allowed where…

You will get the following info from each NSG security rule:

Subcription Name
Resource Group Name
Subnet Name
NSG Name
Direction
Priority
Destination IP Prefix
Destination Port
Source IP Prefix
Source Port
Description
(Optional: SubscriptionId, extended.properties)

In my current Azure network, the count is around 200, in 75 different NSGs. Its not easy to keep track and find the ‘holes’ if you cannot get a good overview.

Use different sort or where clauses to filter and sort on what you are currently looking for, if you for example filter on
| where destport == ‘*’
you will see only the rules allowing traffic to any port.
| where destprefix == ‘*’
will list all rules allowing traffic to any ip address on the subnet, and so on.

Resources
| where type =~ "microsoft.network/networksecuritygroups"
| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubcriptionName=name, subscriptionId) on subscriptionId
| where resourceGroup == 'production' or resourceGroup == 'testing'
// Only if you don't want to see all, add more resourceGroups as needed: or resourceGroup == 'xxx'
| mv-expand rules=properties.securityRules
| extend direction = tostring(rules.properties.direction)
| extend priority = toint(rules.properties.priority)
| extend description = rules.properties.description
| extend destprefix = rules.properties.destinationAddressPrefix
| extend destport = rules.properties.destinationPortRange
| extend sourceprefix = rules.properties.sourceAddressPrefix
| extend sourceport = rules.properties.sourcePortRange
| extend subnet_name = split((split(tostring(properties.subnets), '/'))[10], '"')[0]
//| where destprefix == '*'
| project SubcriptionName, resourceGroup, subnet_name, name, direction, priority, destprefix, destport, sourceprefix, sourceport, description //, subscriptionId, rules.properties
| sort by SubcriptionName, resourceGroup asc, name, direction asc, priority asc
Happy resource mining!

References
https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Advertisement

Published by Thomas Balkeståhl

Yup, this is me!

Published

4 thoughts on “List all NSG security rules in one query using Azure Resource Graph

  2. Is this destructive? What I mean is will it change anything in the NSG or anything like that?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s