Add NSG Rule via Azure DevOps Pipeline

This blogpost describes how to add an NSG Rule via an Azure DevOps Pipeline to momentarily give Azure Devops via WinRM access to your Subnet. At this time of writing the “AzureDevOps” service tag which you can use in an NSG rule is not available. This is a workaround to momentarily give Azure DevOps access to your deployment. I use WinRM to provision applications in my Image management deployments.

Prerequisites

Access to Azure DevOps and the Azure DevOps Pipeline.

Able to add the “Azure CLI” task to the “builder” section of your Pipeline.

Permission to edit NSG rules.

Service Connection from your Azure DevOps Pipeline to your Azure Subscription.

Recommended: A Service Principal to connect via Powershell to Azure. I have put these in my Azure Key Vault, as a result there are not visible in logs or scripts.

Script Syntax

These are the syntaxis for the scripts you need to add in the Azure DevOps Pipeline. Furthermore, I have used a Service Principal to authenticate to Azure Powershell.

NOTE: Below is the example for implementing this script.

Script for adding the NSG Rule:

$installedPackageProvider = Get-PackageProvider
if ($installedPackageProvider.Name -notmatch "NuGet") {
    Install-PackageProvider -Name NuGet -force
     Write-Host("Install powershell module NuGet")
}
$installedModules = Get-InstalledModule
if ($installedModules.Name -notmatch "Az.Accounts") {
    Install-Module Az.Accounts -Force -AllowClobber
     Write-Host("Install powershell module Az Accounts")
}
if ($installedModules.Name -notmatch "Az.Network") {
    Install-Module Az.Network -Force -AllowClobber
     Write-Host("Install powershell module Az Resources")
}

$secret = ConvertTo-SecureString -String "$(SECRETFROMKEYVAULT)" -AsPlainText -Force
$username = "$(USERNAMEFROMKEYVAULT)"

$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username, $secret

Connect-AzAccount -Credential $Credential -Tenant $(TENANTIDFROMKEYVAULT) -ServicePrincipal

Set-AzContext -SubscriptionId "$(SUBSCRIPTIONIDFROMKEYVAULT)"

$RGname="RESOURCEGROUPNAME"
$port="443;5986"
$rulename="NSGRULENAME"
$nsgname="NSGNAME"

$nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname

If ($nsg.SecurityRules.Name -notcontains $rulename){
$nsg | Add-AzNetworkSecurityRuleConfig -Name $rulename -Description "Azure DevOps Inbound" -Access Allow -Protocol * -Direction Inbound -Priority 110 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange $port.split(";")
Write-Host "Creating new NSG Rule" -ForegroundColor Magenta
$nsg | Set-AzNetworkSecurityGroup

}
else {
    Write-Host "NSG Rule Already Exists" -ForegroundColor Yellow
}

To remove the NSG rule use the following script:

$installedPackageProvider = Get-PackageProvider
if ($installedPackageProvider.Name -notmatch "NuGet") {
    Install-PackageProvider -Name NuGet -force
     Write-Host("Install powershell module NuGet")
}
$installedModules = Get-InstalledModule
if ($installedModules.Name -notmatch "Az.Accounts") {
    Install-Module Az.Accounts -Force -AllowClobber
     Write-Host("Install powershell module Az Accounts")
}
if ($installedModules.Name -notmatch "Az.Network") {
    Install-Module Az.Network -Force -AllowClobber
     Write-Host("Install powershell module Az Resources")
}

$secret = ConvertTo-SecureString -String "$(SECRETFROMKEYVAULT)" -AsPlainText -Force
$username = "$(USERNAMEFROMKEYVAULT)"

$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username, $secret

Connect-AzAccount -Credential $Credential -Tenant $(TENANTIDFROMKEYVAULT) -ServicePrincipal

Set-AzContext -SubscriptionId "$(SUBSCRIPTIONIDFROMKEYVAULT)"

$RGname="RESOURCEGROUPNAME"
$rulename="NSGRULENAME"
$nsgname="NSGNAME"

$nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname

Remove-AzNetworkSecurityRuleConfig -Name $rulename -NetworkSecurityGroup $nsg

$nsg | Set-AzNetworkSecurityGroup

Implementation and an Example

Firstly, log on to your Azure DevOps environment. For Example https://dev.azure.com/contoso

Secondly, go to your Pipeline for your Image Management:

Azure DevOps Pipelines

And click edit:

Azure DevOps Pipelines edit

Add 2 Azure CLI tasks:

Add Azure CLI Tasks

So this is the result (you can just move the tasks by swiping them)

Add NSG Rule via Azure DevOps Pipeline

In Addition, this is how you configure both Azure CLI Tasks.

Firstly, the “Create NSG Rule for Inbound WinRM”:

Azure CLI task for NSG

Display name: Fill in the name you would like to name your task.

Azure Resource Manager Connection: Select the subscription where you want to create the NSG Rule.

Script Type: Powershell

Script Location: Inline script

Inline Script: The script above that add the NSG Rule (The first script)

Secondly, the “Remove NSG Rule for Inbound WinRM”:

Display name: Fill in the name you would like to name your task.

Azure Resource Manager Connection: Select the subscription where you want to create the NSG Rule.

Script Type: Powershell

Script Location: Inline script

Inline Script: The script above that removes the NSG Rule (The second script)


And that is how you dynamically add and remove NSG Rules via Azure DevOps Pipeline.

References

Microsoft Docs about removing NSG Rules

WVD Script about Refresh Token

WVD Script about Deleting HostPools

Leave a Comment