/// <summary>
/// Gets the configured and effective security group rules on the specified VM.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='resourceGroupName'>
/// The name of the resource group.
/// </param>
/// <param name='networkWatcherName'>
/// The name of the network watcher.
/// </param>
/// <param name='parameters'>
/// Parameters that define the VM to check security groups for.
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task <SecurityGroupViewResult> BeginGetVMSecurityRulesAsync(this INetworkWatchersOperations operations, string resourceGroupName, string networkWatcherName, SecurityGroupViewParameters parameters, CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.BeginGetVMSecurityRulesWithHttpMessagesAsync(resourceGroupName, networkWatcherName, parameters, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
public void ViewNsgRuleApiTest()
{
var handler1 = new RecordedDelegatingHandler {
StatusCodeToReturn = HttpStatusCode.OK
};
var handler2 = new RecordedDelegatingHandler {
StatusCodeToReturn = HttpStatusCode.OK
};
var handler3 = new RecordedDelegatingHandler {
StatusCodeToReturn = HttpStatusCode.OK
};
using (MockContext context = MockContext.Start(this.GetType()))
{
var resourcesClient = ResourcesManagementTestUtilities.GetResourceManagementClientWithHandler(context, handler1);
var networkManagementClient = NetworkManagementTestUtilities.GetNetworkManagementClientWithHandler(context, handler2);
var computeManagementClient = NetworkManagementTestUtilities.GetComputeManagementClientWithHandler(context, handler3);
string location = "westcentralus";
string resourceGroupName = TestUtilities.GenerateName();
resourcesClient.ResourceGroups.CreateOrUpdate(resourceGroupName,
new ResourceGroup
{
Location = location
});
string virtualMachineName = TestUtilities.GenerateName();
string networkInterfaceName = TestUtilities.GenerateName();
string networkSecurityGroupName = virtualMachineName + "-nsg";
//Deploy VM with template
Deployments.CreateVm(
resourcesClient: resourcesClient,
resourceGroupName: resourceGroupName,
location: location,
virtualMachineName: virtualMachineName,
storageAccountName: TestUtilities.GenerateName(),
networkInterfaceName: networkInterfaceName,
networkSecurityGroupName: networkSecurityGroupName,
diagnosticsStorageAccountName: TestUtilities.GenerateName(),
deploymentName: TestUtilities.GenerateName()
);
string networkWatcherName = TestUtilities.GenerateName();
NetworkWatcher properties = new NetworkWatcher();
properties.Location = location;
//Create network Watcher
var createNetworkWatcher = networkManagementClient.NetworkWatchers.CreateOrUpdate(resourceGroupName, networkWatcherName, properties);
var getVm = computeManagementClient.VirtualMachines.Get(resourceGroupName, virtualMachineName);
string localIPAddress = networkManagementClient.NetworkInterfaces.Get(resourceGroupName, networkInterfaceName).IpConfigurations.FirstOrDefault().PrivateIPAddress;
string securityRule1 = TestUtilities.GenerateName();
// Add a security rule
var SecurityRule = new SecurityRule()
{
Name = securityRule1,
Access = SecurityRuleAccess.Deny,
Description = "Test outbound security rule",
DestinationAddressPrefix = "*",
DestinationPortRange = "80",
Direction = SecurityRuleDirection.Outbound,
Priority = 501,
Protocol = SecurityRuleProtocol.Tcp,
SourceAddressPrefix = "*",
SourcePortRange = "*",
};
var nsg = networkManagementClient.NetworkSecurityGroups.Get(resourceGroupName, networkSecurityGroupName);
nsg.SecurityRules.Add(SecurityRule);
networkManagementClient.NetworkSecurityGroups.CreateOrUpdate(resourceGroupName, networkSecurityGroupName, nsg);
SecurityGroupViewParameters sgvProperties = new SecurityGroupViewParameters()
{
TargetResourceId = getVm.Id
};
//Get view security group rules
var viewNSGRules = networkManagementClient.NetworkWatchers.GetVMSecurityRules(resourceGroupName, networkWatcherName, sgvProperties);
//Verify effective security rule defined earlier
var getEffectiveSecurityRule = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.EffectiveSecurityRules.Where(x => x.Name == "UserRule_" + securityRule1);
Assert.Equal("Tcp", getEffectiveSecurityRule.FirstOrDefault().Protocol);
Assert.Equal(501, getEffectiveSecurityRule.FirstOrDefault().Priority);
Assert.Equal("Deny", getEffectiveSecurityRule.FirstOrDefault().Access);
Assert.Equal("Outbound", getEffectiveSecurityRule.FirstOrDefault().Direction);
Assert.Equal("0.0.0.0/0", getEffectiveSecurityRule.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("80-80", getEffectiveSecurityRule.FirstOrDefault().DestinationPortRange);
Assert.Equal("0.0.0.0/0", getEffectiveSecurityRule.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("0-65535", getEffectiveSecurityRule.FirstOrDefault().SourcePortRange);
//Verify 6 default rules
var getDefaultSecurityRule1 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowVnetInBound");
Assert.Equal("*", getDefaultSecurityRule1.FirstOrDefault().Protocol);
Assert.Equal(65000, getDefaultSecurityRule1.FirstOrDefault().Priority);
Assert.Equal("Allow", getDefaultSecurityRule1.FirstOrDefault().Access);
Assert.Equal("Inbound", getDefaultSecurityRule1.FirstOrDefault().Direction);
Assert.Equal("VirtualNetwork", getDefaultSecurityRule1.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule1.FirstOrDefault().DestinationPortRange);
Assert.Equal("VirtualNetwork", getDefaultSecurityRule1.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule1.FirstOrDefault().SourcePortRange);
var getDefaultSecurityRule2 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowAzureLoadBalancerInBound");
Assert.Equal("*", getDefaultSecurityRule2.FirstOrDefault().Protocol);
Assert.Equal(65001, getDefaultSecurityRule2.FirstOrDefault().Priority);
Assert.Equal("Allow", getDefaultSecurityRule2.FirstOrDefault().Access);
Assert.Equal("Inbound", getDefaultSecurityRule2.FirstOrDefault().Direction);
Assert.Equal("*", getDefaultSecurityRule2.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule2.FirstOrDefault().DestinationPortRange);
Assert.Equal("AzureLoadBalancer", getDefaultSecurityRule2.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule2.FirstOrDefault().SourcePortRange);
var getDefaultSecurityRule3 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "DenyAllInBound");
Assert.Equal("*", getDefaultSecurityRule3.FirstOrDefault().Protocol);
Assert.Equal(65500, getDefaultSecurityRule3.FirstOrDefault().Priority);
Assert.Equal("Deny", getDefaultSecurityRule3.FirstOrDefault().Access);
Assert.Equal("Inbound", getDefaultSecurityRule3.FirstOrDefault().Direction);
Assert.Equal("*", getDefaultSecurityRule3.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule3.FirstOrDefault().DestinationPortRange);
Assert.Equal("*", getDefaultSecurityRule3.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule3.FirstOrDefault().SourcePortRange);
var getDefaultSecurityRule4 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowVnetOutBound");
Assert.Equal("*", getDefaultSecurityRule4.FirstOrDefault().Protocol);
Assert.Equal(65000, getDefaultSecurityRule4.FirstOrDefault().Priority);
Assert.Equal("Allow", getDefaultSecurityRule4.FirstOrDefault().Access);
Assert.Equal("Outbound", getDefaultSecurityRule4.FirstOrDefault().Direction);
Assert.Equal("VirtualNetwork", getDefaultSecurityRule4.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule4.FirstOrDefault().DestinationPortRange);
Assert.Equal("VirtualNetwork", getDefaultSecurityRule4.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule4.FirstOrDefault().SourcePortRange);
var getDefaultSecurityRule5 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowInternetOutBound");
Assert.Equal("*", getDefaultSecurityRule5.FirstOrDefault().Protocol);
Assert.Equal(65001, getDefaultSecurityRule5.FirstOrDefault().Priority);
Assert.Equal("Allow", getDefaultSecurityRule5.FirstOrDefault().Access);
Assert.Equal("Outbound", getDefaultSecurityRule5.FirstOrDefault().Direction);
Assert.Equal("Internet", getDefaultSecurityRule5.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule5.FirstOrDefault().DestinationPortRange);
Assert.Equal("*", getDefaultSecurityRule5.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule5.FirstOrDefault().SourcePortRange);
var getDefaultSecurityRule6 = viewNSGRules.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "DenyAllOutBound");
Assert.Equal("*", getDefaultSecurityRule6.FirstOrDefault().Protocol);
Assert.Equal(65500, getDefaultSecurityRule6.FirstOrDefault().Priority);
Assert.Equal("Deny", getDefaultSecurityRule6.FirstOrDefault().Access);
Assert.Equal("Outbound", getDefaultSecurityRule6.FirstOrDefault().Direction);
Assert.Equal("*", getDefaultSecurityRule6.FirstOrDefault().DestinationAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule6.FirstOrDefault().DestinationPortRange);
Assert.Equal("*", getDefaultSecurityRule6.FirstOrDefault().SourceAddressPrefix);
Assert.Equal("*", getDefaultSecurityRule6.FirstOrDefault().SourcePortRange);
}
}
/// <summary>
/// Gets the configured and effective security group rules on the specified VM.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='resourceGroupName'>
/// The name of the resource group.
/// </param>
/// <param name='networkWatcherName'>
/// The name of the network watcher.
/// </param>
/// <param name='parameters'>
/// Parameters that define the VM to check security groups for.
/// </param>
public static SecurityGroupViewResult BeginGetVMSecurityRules(this INetworkWatchersOperations operations, string resourceGroupName, string networkWatcherName, SecurityGroupViewParameters parameters)
{
return(operations.BeginGetVMSecurityRulesAsync(resourceGroupName, networkWatcherName, parameters).GetAwaiter().GetResult());
}
public async Task ViewNsgRuleApiTest()
{
string resourceGroupName = Recording.GenerateAssetName("azsmnet");
string location = "westus2";
await ResourceGroupsOperations.CreateOrUpdateAsync(resourceGroupName, new ResourceGroup(location));
string virtualMachineName = Recording.GenerateAssetName("azsmnet");
string networkInterfaceName = Recording.GenerateAssetName("azsmnet");
string networkSecurityGroupName = virtualMachineName + "-nsg";
//Deploy VM with template
await CreateVm(
resourcesClient : ResourceManagementClient,
resourceGroupName : resourceGroupName,
location : location,
virtualMachineName : virtualMachineName,
storageAccountName : Recording.GenerateAssetName("azsmnet"),
networkInterfaceName : networkInterfaceName,
networkSecurityGroupName : networkSecurityGroupName,
diagnosticsStorageAccountName : Recording.GenerateAssetName("azsmnet"),
deploymentName : Recording.GenerateAssetName("azsmnet"),
adminPassword : Recording.GenerateAlphaNumericId("AzureSDKNetworkTest#")
);
//TODO:There is no need to perform a separate create NetworkWatchers operation
//Create network Watcher
//string networkWatcherName = Recording.GenerateAssetName("azsmnet");
//NetworkWatcher properties = new NetworkWatcher { Location = location };
//Response<NetworkWatcher> createNetworkWatcher = await NetworkManagementClient.NetworkWatchers.CreateOrUpdateAsync(resourceGroupName, networkWatcherName, properties);
Response <VirtualMachine> getVm = await ComputeManagementClient.VirtualMachines.GetAsync(resourceGroupName, virtualMachineName);
string localIPAddress = NetworkManagementClient.NetworkInterfaces.GetAsync(resourceGroupName, networkInterfaceName).Result.Value.IpConfigurations.FirstOrDefault().PrivateIPAddress;
string securityRule1 = Recording.GenerateAssetName("azsmnet");
// Add a security rule
SecurityRule SecurityRule = new SecurityRule()
{
Name = securityRule1,
Access = SecurityRuleAccess.Deny,
Description = "Test outbound security rule",
DestinationAddressPrefix = "*",
DestinationPortRange = "80",
Direction = SecurityRuleDirection.Outbound,
Priority = 501,
Protocol = SecurityRuleProtocol.Tcp,
SourceAddressPrefix = "*",
SourcePortRange = "*",
};
Response <NetworkSecurityGroup> nsg = await NetworkManagementClient.NetworkSecurityGroups.GetAsync(resourceGroupName, networkSecurityGroupName);
nsg.Value.SecurityRules.Add(SecurityRule);
NetworkSecurityGroupsCreateOrUpdateOperation createOrUpdateOperation = await NetworkManagementClient.NetworkSecurityGroups.StartCreateOrUpdateAsync(resourceGroupName, networkSecurityGroupName, nsg);
Response <NetworkSecurityGroup> networkSecurityGroup = await WaitForCompletionAsync(createOrUpdateOperation);
//Get view security group rules
SecurityGroupViewParameters sgvProperties = new SecurityGroupViewParameters(getVm.Value.Id);
NetworkWatchersGetVMSecurityRulesOperation viewNSGRulesOperation = await NetworkManagementClient.NetworkWatchers.StartGetVMSecurityRulesAsync("NetworkWatcherRG", "NetworkWatcher_westus2", sgvProperties);
Response <SecurityGroupViewResult> viewNSGRules = await WaitForCompletionAsync(viewNSGRulesOperation);
//Verify effective security rule defined earlier
IEnumerable <EffectiveNetworkSecurityRule> getEffectiveSecurityRule = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.EffectiveSecurityRules.Where(x => x.Name == "UserRule_" + securityRule1);
Assert.AreEqual("Tcp", getEffectiveSecurityRule.FirstOrDefault().Protocol);
Assert.AreEqual(501, getEffectiveSecurityRule.FirstOrDefault().Priority);
Assert.AreEqual("Deny", getEffectiveSecurityRule.FirstOrDefault().Access);
Assert.AreEqual("Outbound", getEffectiveSecurityRule.FirstOrDefault().Direction);
Assert.AreEqual("0.0.0.0/0", getEffectiveSecurityRule.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("80-80", getEffectiveSecurityRule.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("0.0.0.0/0", getEffectiveSecurityRule.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("0-65535", getEffectiveSecurityRule.FirstOrDefault().SourcePortRange);
//Verify 6 default rules
IEnumerable <SecurityRule> getDefaultSecurityRule1 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowVnetInBound");
Assert.AreEqual("*", getDefaultSecurityRule1.FirstOrDefault().Protocol);
Assert.AreEqual(65000, getDefaultSecurityRule1.FirstOrDefault().Priority);
Assert.AreEqual("Allow", getDefaultSecurityRule1.FirstOrDefault().Access);
Assert.AreEqual("Inbound", getDefaultSecurityRule1.FirstOrDefault().Direction);
Assert.AreEqual("VirtualNetwork", getDefaultSecurityRule1.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule1.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("VirtualNetwork", getDefaultSecurityRule1.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule1.FirstOrDefault().SourcePortRange);
IEnumerable <SecurityRule> getDefaultSecurityRule2 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowAzureLoadBalancerInBound");
Assert.AreEqual("*", getDefaultSecurityRule2.FirstOrDefault().Protocol);
Assert.AreEqual(65001, getDefaultSecurityRule2.FirstOrDefault().Priority);
Assert.AreEqual("Allow", getDefaultSecurityRule2.FirstOrDefault().Access);
Assert.AreEqual("Inbound", getDefaultSecurityRule2.FirstOrDefault().Direction);
Assert.AreEqual("*", getDefaultSecurityRule2.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule2.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("AzureLoadBalancer", getDefaultSecurityRule2.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule2.FirstOrDefault().SourcePortRange);
IEnumerable <SecurityRule> getDefaultSecurityRule3 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "DenyAllInBound");
Assert.AreEqual("*", getDefaultSecurityRule3.FirstOrDefault().Protocol);
Assert.AreEqual(65500, getDefaultSecurityRule3.FirstOrDefault().Priority);
Assert.AreEqual("Deny", getDefaultSecurityRule3.FirstOrDefault().Access);
Assert.AreEqual("Inbound", getDefaultSecurityRule3.FirstOrDefault().Direction);
Assert.AreEqual("*", getDefaultSecurityRule3.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule3.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("*", getDefaultSecurityRule3.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule3.FirstOrDefault().SourcePortRange);
IEnumerable <SecurityRule> getDefaultSecurityRule4 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowVnetOutBound");
Assert.AreEqual("*", getDefaultSecurityRule4.FirstOrDefault().Protocol);
Assert.AreEqual(65000, getDefaultSecurityRule4.FirstOrDefault().Priority);
Assert.AreEqual("Allow", getDefaultSecurityRule4.FirstOrDefault().Access);
Assert.AreEqual("Outbound", getDefaultSecurityRule4.FirstOrDefault().Direction);
Assert.AreEqual("VirtualNetwork", getDefaultSecurityRule4.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule4.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("VirtualNetwork", getDefaultSecurityRule4.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule4.FirstOrDefault().SourcePortRange);
IEnumerable <SecurityRule> getDefaultSecurityRule5 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "AllowInternetOutBound");
Assert.AreEqual("*", getDefaultSecurityRule5.FirstOrDefault().Protocol);
Assert.AreEqual(65001, getDefaultSecurityRule5.FirstOrDefault().Priority);
Assert.AreEqual("Allow", getDefaultSecurityRule5.FirstOrDefault().Access);
Assert.AreEqual("Outbound", getDefaultSecurityRule5.FirstOrDefault().Direction);
Assert.AreEqual("Internet", getDefaultSecurityRule5.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule5.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("*", getDefaultSecurityRule5.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule5.FirstOrDefault().SourcePortRange);
IEnumerable <SecurityRule> getDefaultSecurityRule6 = viewNSGRules.Value.NetworkInterfaces.FirstOrDefault().SecurityRuleAssociations.DefaultSecurityRules.Where(x => x.Name == "DenyAllOutBound");
Assert.AreEqual("*", getDefaultSecurityRule6.FirstOrDefault().Protocol);
Assert.AreEqual(65500, getDefaultSecurityRule6.FirstOrDefault().Priority);
Assert.AreEqual("Deny", getDefaultSecurityRule6.FirstOrDefault().Access);
Assert.AreEqual("Outbound", getDefaultSecurityRule6.FirstOrDefault().Direction);
Assert.AreEqual("*", getDefaultSecurityRule6.FirstOrDefault().DestinationAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule6.FirstOrDefault().DestinationPortRange);
Assert.AreEqual("*", getDefaultSecurityRule6.FirstOrDefault().SourceAddressPrefix);
Assert.AreEqual("*", getDefaultSecurityRule6.FirstOrDefault().SourcePortRange);
}
