A Python 3 command line tool to manage Azure Network Security Group Rules
A cutomer I was working with wanted a way to manage all their NSGs through a single (preferrably GUI) tool, so that a network admin/manager could edit them, without the need to know a scripting lanaguage or ARM. Azure NSGs are powerful, but while the platform provides versatile traffic rules, it doesn't provide a convenient visual way to manage them across multiple NSGs. I've made Grouper to provide a solution for that.
Grouper can:
- Save all the NSG rules in your current Azure subscription to a CSV File, so that you can manage them via Excel or any other CSV editor
- Generate ARM templates from the CSV file, which can be committed to your Source Control System. ARM Templates are idempotent, so it won't matter if you re-run the same template: it will have no more effects than running it a sigle time
- Generate CLI scripts from the CSV file for each NSG
- Generate a sample CSV file so you can experiment with Grouper
Grouper is an easy to use command line tool. It requires the Azure CLI installed and you must log in to the subscription for which you want to manage Network Security Group rules.
- Install python dependencies:
pip install -r requirements.txt - Install Azure CLI (if you don't already have it installed): https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
- Log in to your Azure subscription using the Azure CLI: az login
python app.py
This prints basic command help text to console.
Grouper will use the Azure CLI to query your subscription for NSG rules, and then parse the response to create a CSV file in the root of the Grouper application. This CSV file can become your management plane for editing or creating new NSG Rules, or simply a single pane of glass to see all the NSG rules in your subscription.
python app.py aznsg --csvfile azure-nsg.csv
You can then use Excel, Numbers, or any other editor to view or make edits to your NSG Rules, including adding rules, or modifying existing ones. Once you're done, use Grouper to create ARM Templates from your CSV file.
Note: Grouper will respect Azure protected rule priority numbers (65000, 65001, 65500), and will ignore rules given any of those priorities.
Editing your NSGs via CSV File is just the first step; Grouper allows you to export your CSV files as ARM Tempalates, which you can then check into your source control as valid and complete rules that can be applied manually via PowerShell/CI, in the Portal, or via your CI/CD pipeline. In that way, your exported ARM templates now become your Infrastructure as Code, while still maintaining an easy to use control plane (your CSV editor).
python app.py csvtoarm --csvfile azure-nsg.csv
The resulting ARM templates are exported to the output folder, as shown below:
CLI Scripts, like ARM Templates, are also idempotent and much easier to read as well. Grouper can export your CSV file to CLI Scripts, which can similarly be added to your source control and made part of your CI/CD pipeline. Your exported CLI scripts are then Infrastructure as Code.
The resulting CLI script areis exported to the output folder, as shown below:
Grouper can generate a sample CSV file so that you can experiment with editing the CSV File, and then generate ARM templates. The sample NSG Rules provide a nice playground to see how edits are converted to ARM templates.
python app.py generatecsv
Some of the future development ideas I'm toying with:
- More validations and tests
Export to CLIDone!- Apply templates rules across NSGs
- Export to PowerShell