| title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|
Move Azure network security group (NSG) to another Azure region using Azure PowerShell |
Use Azure Resource Manager template to move Azure network security group from one Azure region to another using Azure PowerShell. |
asudbring |
virtual-network |
how-to |
08/31/2019 |
allensu |
devx-track-azurepowershell |
There are various scenarios in which you'd want to move your existing NSGs from one region to another. For example, you may want to create an NSG with the same configuration and security rules for testing. You may also want to move an NSG to another region as part of disaster recovery planning.
Azure security groups can't be moved from one region to another. You can however, use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. You can then stage the resource in another region by exporting the NSG to a template, modifying the parameters to match the destination region, and then deploy the template to the new region. For more information on Resource Manager and templates, see Export resource groups to templates.
-
Make sure that the Azure network security group is in the Azure region from which you want to move.
-
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to resources in the target region.
-
To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the Network Contributor role or higher.
-
Identify the source networking layout and all the resources that you're currently using. This layout includes but isn't limited to load balancers, public IPs, and virtual networks.
-
Verify that your Azure subscription allows you to create NSGs in the target region that's used. Contact support to enable the required quota.
-
Make sure that your subscription has enough resources to support the addition of NSGs for this process. See Azure subscription and service limits, quotas, and constraints.
The following steps show how to prepare the network security group for the configuration and security rule move using a Resource Manager template, and move the NSG configuration and security rules to the target region using Azure PowerShell.
[!INCLUDE updated-for-az]
-
Sign in to your Azure subscription with the Connect-AzAccount command and follow the on-screen directions:
Connect-AzAccount -
Obtain the resource ID of the NSG you want to move to the target region and place it in a variable using Get-AzNetworkSecurityGroup:
$sourceNSGID = (Get-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>).Id -
Export the source NSG to a .json file into the directory where you execute the command Export-AzResourceGroup:
Export-AzResourceGroup -ResourceGroupName <source-resource-group-name> -Resource $sourceNSGID -IncludeParameterDefaultValue -
The file downloaded will be named after the resource group the resource was exported from. Locate the file that was exported from the command named <resource-group-name>.json and open it in an editor of your choice:
notepad <source-resource-group-name>.json -
To edit the parameter of the NSG name, change the property defaultValue of the source NSG name to the name of your target NSG, ensure the name is in quotes:
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "networkSecurityGroups_myVM1_nsg_name": { "defaultValue": "<target-nsg-name>", "type": "String" } } -
To edit the target region where the NSG configuration and security rules will be moved, change the location property under resources:
"resources": [ { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2019-06-01", "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]", "location": "<target-region>", "properties": { "provisioningState": "Succeeded", "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78", } }
-
To obtain region location codes, you can use the Azure PowerShell cmdlet Get-AzLocation by running the following command:
Get-AzLocation | format-table -
You can also change other parameters in the <resource-group-name>.json if you choose, and are optional depending on your requirements:
-
Security rules - You can edit which rules are deployed into the target NSG by adding or removing rules to the securityRules section in the <resource-group-name>.json file:
"resources": [ { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2019-06-01", "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]", "location": "TARGET REGION", "properties": { "provisioningState": "Succeeded", "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78", "securityRules": [ { "name": "RDP", "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"", "properties": { "provisioningState": "Succeeded", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "3389", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 300, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] } ] }
To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the <resource-group-name>.json file in the format of the example below:
{ "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-06-01", "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]" ], "properties": { "provisioningState": "Succeeded", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "80", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 310, "direction": "Inbound", "sourcePortRanges": [], "destinationPortRanges": [], "sourceAddressPrefixes": [], "destinationAddressPrefixes": [] }
-
-
Save the <resource-group-name>.json file.
-
Create a resource group in the target region for the target NSG to be deployed using New-AzResourceGroup:
New-AzResourceGroup -Name <target-resource-group-name> -location <target-region> -
Deploy the edited <resource-group-name>.json file to the resource group created in the previous step using New-AzResourceGroupDeployment:
New-AzResourceGroupDeployment -ResourceGroupName <target-resource-group-name> -TemplateFile <source-resource-group-name>.json -
To verify the resources were created in the target region, use Get-AzResourceGroup and Get-AzNetworkSecurityGroup:
Get-AzResourceGroup -Name <target-resource-group-name>Get-AzNetworkSecurityGroup -Name <target-nsg-name> -ResourceGroupName <target-resource-group-name>
After the deployment, if you wish to start over or discard the NSG in the target, delete the resource group that was created in the target and the moved NSG will be deleted. To remove the resource group, use Remove-AzResourceGroup:
Remove-AzResourceGroup -Name <target-resource-group-name>
To commit the changes and complete the move of the NSG, delete the source NSG or resource group, use Remove-AzResourceGroup or Remove-AzNetworkSecurityGroup:
Remove-AzResourceGroup -Name <source-resource-group-name>
Remove-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>
In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to: