This blogpost describes how to add an NSG Rule via an Azure DevOps Pipeline to momentarily give Azure Devops via WinRM access to your Subnet. At this time of writing the “AzureDevOps” service tag which you can use in an NSG rule is not available. This is a workaround to momentarily give Azure DevOps access to your deployment. I use WinRM to provision applications in my Image management deployments.
Prerequisites
Access to Azure DevOps and the Azure DevOps Pipeline.
Able to add the “Azure CLI” task to the “builder” section of your Pipeline.
Permission to edit NSG rules.
Service Connection from your Azure DevOps Pipeline to your Azure Subscription.
Recommended: A Service Principal to connect via Powershell to Azure. I have put these in my Azure Key Vault, as a result there are not visible in logs or scripts.
Script Syntax
These are the syntaxis for the scripts you need to add in the Azure DevOps Pipeline. Furthermore, I have used a Service Principal to authenticate to Azure Powershell.
NOTE: Below is the example for implementing this script.
Script for adding the NSG Rule:
$installedPackageProvider = Get-PackageProvider if ($installedPackageProvider.Name -notmatch "NuGet") { Install-PackageProvider -Name NuGet -force Write-Host("Install powershell module NuGet") } $installedModules = Get-InstalledModule if ($installedModules.Name -notmatch "Az.Accounts") { Install-Module Az.Accounts -Force -AllowClobber Write-Host("Install powershell module Az Accounts") } if ($installedModules.Name -notmatch "Az.Network") { Install-Module Az.Network -Force -AllowClobber Write-Host("Install powershell module Az Resources") } $secret = ConvertTo-SecureString -String "$(SECRETFROMKEYVAULT)" -AsPlainText -Force $username = "$(USERNAMEFROMKEYVAULT)" $Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username, $secret Connect-AzAccount -Credential $Credential -Tenant $(TENANTIDFROMKEYVAULT) -ServicePrincipal Set-AzContext -SubscriptionId "$(SUBSCRIPTIONIDFROMKEYVAULT)" $RGname="RESOURCEGROUPNAME" $port="443;5986" $rulename="NSGRULENAME" $nsgname="NSGNAME" $nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname If ($nsg.SecurityRules.Name -notcontains $rulename){ $nsg | Add-AzNetworkSecurityRuleConfig -Name $rulename -Description "Azure DevOps Inbound" -Access Allow -Protocol * -Direction Inbound -Priority 110 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange $port.split(";") Write-Host "Creating new NSG Rule" -ForegroundColor Magenta $nsg | Set-AzNetworkSecurityGroup } else { Write-Host "NSG Rule Already Exists" -ForegroundColor Yellow }
To remove the NSG rule use the following script:
$installedPackageProvider = Get-PackageProvider if ($installedPackageProvider.Name -notmatch "NuGet") { Install-PackageProvider -Name NuGet -force Write-Host("Install powershell module NuGet") } $installedModules = Get-InstalledModule if ($installedModules.Name -notmatch "Az.Accounts") { Install-Module Az.Accounts -Force -AllowClobber Write-Host("Install powershell module Az Accounts") } if ($installedModules.Name -notmatch "Az.Network") { Install-Module Az.Network -Force -AllowClobber Write-Host("Install powershell module Az Resources") } $secret = ConvertTo-SecureString -String "$(SECRETFROMKEYVAULT)" -AsPlainText -Force $username = "$(USERNAMEFROMKEYVAULT)" $Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username, $secret Connect-AzAccount -Credential $Credential -Tenant $(TENANTIDFROMKEYVAULT) -ServicePrincipal Set-AzContext -SubscriptionId "$(SUBSCRIPTIONIDFROMKEYVAULT)" $RGname="RESOURCEGROUPNAME" $rulename="NSGRULENAME" $nsgname="NSGNAME" $nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname Remove-AzNetworkSecurityRuleConfig -Name $rulename -NetworkSecurityGroup $nsg $nsg | Set-AzNetworkSecurityGroup
Implementation and an Example
Firstly, log on to your Azure DevOps environment. For Example https://dev.azure.com/contoso
Secondly, go to your Pipeline for your Image Management:
And click edit:
Add 2 Azure CLI tasks:
So this is the result (you can just move the tasks by swiping them)
In Addition, this is how you configure both Azure CLI Tasks.
Firstly, the “Create NSG Rule for Inbound WinRM”:
Display name: Fill in the name you would like to name your task.
Azure Resource Manager Connection: Select the subscription where you want to create the NSG Rule.
Script Type: Powershell
Script Location: Inline script
Inline Script: The script above that add the NSG Rule (The first script)
Secondly, the “Remove NSG Rule for Inbound WinRM”:
Display name: Fill in the name you would like to name your task.
Azure Resource Manager Connection: Select the subscription where you want to create the NSG Rule.
Script Type: Powershell
Script Location: Inline script
Inline Script: The script above that removes the NSG Rule (The second script)
And that is how you dynamically add and remove NSG Rules via Azure DevOps Pipeline.
References
Microsoft Docs about removing NSG Rules
WVD Script about Refresh Token
WVD Script about Deleting HostPools