| title | titleSuffix | description | services | documentationcenter | author | ms.service | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Analyze network security - Security Group View - Azure REST API |
Azure Network Watcher |
This article will describe how to the Azure REST API to analyze a virtual machines security with Security Group View. |
network-watcher |
na |
damendo |
network-watcher |
how-to |
na |
infrastructure-services |
02/22/2017 |
damendo |
devx-track-azurepowershell |
[!div class="op_single_selector"]
Note
The Security Group View API is no longer being maintained and will be deprecated soon. Please use the Effective Security Rules feature which provides the same functionality.
Security group view returns configured and effective network security rules that are applied to a virtual machine. This capability is useful to audit and diagnose Network Security Groups and rules that are configured on a VM to ensure traffic is being correctly allowed or denied. In this article, we show you how to retrieve the effective and applied security rules to a virtual machine using REST API
[!INCLUDE updated-for-az]
In this scenario, you call the Network Watcher REST API to get the security group view for a virtual machine. ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at ARMClient on Chocolatey
This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher. The scenario also assumes that a Resource Group with a valid virtual machine exists to be used.
The scenario covered in this article retrieves the effective and applied security rules for a given virtual machine.
armclient loginRun the following script to return a virtual machineThe following code needs variables:
- subscriptionId - The subscription id can also be retrieved with the Get-AzSubscription cmdlet.
- resourceGroupName - The name of a resource group that contains virtual machines.
$subscriptionId = '<subscription id>'
$resourceGroupName = '<resource group name>'
armclient get https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines?api-version=2015-05-01-previewThe information that is needed is the id under the type Microsoft.Compute/virtualMachines in response, as seen in the following example:
...,
"networkProfile": {
"networkInterfaces": [
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft
.Network/networkInterfaces/{nicName}"
}
]
},
"provisioningState": "Succeeded"
},
"resources": [
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Com
pute/virtualMachines/{vmName}/extensions/CustomScriptExtension"
}
],
"type": "Microsoft.Compute/virtualMachines",
"location": "westcentralus",
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute
/virtualMachines/{vmName}",
"name": "{vmName}"
}
]
}The following example requests the security group view of a targeted virtual machine. The results from this example can be used to compare to the rules and security defined by the origination to look for configuration drift.
$subscriptionId = "<subscription id>"
$resourceGroupName = "<resource group name>"
$networkWatcherName = "<network watcher name>"
$targetUri = "<uri of target resource>" # Example: /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.compute/virtualMachine/$vmName
$requestBody = @"
{
'targetResourceId': '${targetUri}'
}
"@
armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/securityGroupView?api-version=2016-12-01" $requestBody -verboseThe following sample is the response returned from the preceding command. The results show all the effective and applied security rules on the virtual machine broken down in groups of NetworkInterfaceSecurityRules, DefaultSecurityRules, and EffectiveSecurityRules.
{
"networkInterfaces": [
{
"securityRuleAssociations": {
"networkInterfaceAssociation": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{nicName}",
"securityRules": [
{
"name": "default-allow-rdp",
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}/securityRules/default-allow-rdp",
"etag": "W/\"d4c411d4-0d62-49dc-8092-3d4b57825740\"",
"properties": {
"provisioningState": "Succeeded",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
},
"defaultSecurityRules": [
{
"name": "AllowVnetInBound",
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}/defaultSecurityRules/",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Inbound"
}
},
...
],
"effectiveSecurityRules": [
{
"name": "DefaultOutboundDenyAll",
"protocol": "All",
"sourcePortRange": "0-65535",
"destinationPortRange": "0-65535",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Outbound"
},
...
]
}
}
]
}Visit Auditing Network Security Groups (NSG) with Network Watcher to learn how to automate validation of Network Security Groups.