Skip to main content

How to open and closea port for my LZ with commands

This document aims to provide how to script your flow management on your subnet into your subscription.

Az authentification

First you need to be identified on Azure.

Az authentification options :

  • use az login :

    az login -u <username> -p <password>

  • use environment variables :

    AZURE_CLIENT_ID= <service_principal_client_id> AZURE_SECRET=<service_principal_password> AZURE_SUBSCRIPTION_ID=<azure_subscription_id> AZURE_TENANT=<azure_tenant_id>

  • use credentials files : $HOME/.azure/credentials

    [default] subscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx client_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx secret=xxxxxxxxxxxxxxxxx

Ansible

First, install Azure module on the host how run the playbook, using this commands :

ansible-galaxy collection install azure.azcollection

Then add following step into your playbook/role :

Create a security group with inbound rule that allow port <port_number> on your subnet from RIE FR

  • azure_rm_securitygroup: resource_group: myResourceGroup name: nsg-app-1 purge_rules: yes rules:
    • name: Allow-<port_number> protocol: Tcp # can be Icmp, Tcp, destination_port_range: <port_number> source_address_prefix: 10.59.0.0/16 access: allow priority: 300 # select a right priority, top prio is 100. You can not give the same priority for each rules, we recommand you to gape each rules priority by 100 : 100,200,300, . .. direction: Inbound

    Add rules as needed

    to update this one, add following step. Use this tags if you want to remove some rules above.

    tags: delete: on-exit

Example : Opening 80-8080-443 on your web app hosted into your subscription

  • azure_rm_securitygroup: resource_group: myResourceGroup name: nsg-webapp purge_rules: yes rules:
    • name: AllowHTTP protocol: Tcp destination_port_range: ["80","8080"] source_address_prefix: 10.59.0.0/16 access: allow priority: 200 direction: Inbound
    • name: AllowHTTPS protocol: Tcp destination_port_range: 443 source_address_prefix: 10.59.0.0/16 access: allow priority: 300 direction: Inbound tags: delete: on-exit

To remove a security group you just have to remove this part of the code. Or you can just delete the rules you don't want anymore.

Using az cli

Create a nsg using this command :

az network nsg create -g MyResourceGroup -n nsg-app-1

Update the previous nsg to add rule that open port on your nubnet:

az network nsg rule create -g myResourceGroup --nsg-name nsg-app-1 -n <name_of_the_rules> -source-address-prefixes 10.59.0.0/16 --destination-port-ranges <port_number> --name allow-<port_number> --access allow --priority 300

Example : Opening 80-8080-443 on your web app hosted into your subscription

az network nsg create -g MyResourceGroup -n nsg-webapp az network nsg rule create -g myResourceGroup --nsg-name nsg-webapp -n allowHTTP --source-address-prefixes 10.59.0.0/16 --destination-port-ranges 80 8080 --access allow -priority 200 az network nsg rule create -g myResourceGroup --nsg-name nsg-webapp -n allowHTTPS --source-address-prefixes 10.59.0.0/16 --destination-port-ranges 443 --access allow -priority 300

Example : Temporally close port

    az network nsg rule update -g MyResourceGroup --nsg-name nsg-webapp -n allowHTTP -access Deny
    az network nsg rule update -g MyResourceGroup --nsg-name nsg-webapp -n allowHTTPS -access Deny

When you are ready you can reopen this port with reverse operation :

    az network nsg rule update -g MyResourceGroup --nsg-name nsg-webapp -n allowHTTP -access Allow
    az network nsg rule update -g MyResourceGroup --nsg-name nsg-webapp -n allowHTTPS -access Allow