From ff03438bf2d29ae0fa9d773486b24169f4eb72a7 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 26 Feb 2020 13:22:26 +0000 Subject: [PATCH 01/16] Initial deployment comparison script --- tests/Compare_Deployments.ps1 | 125 ++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 tests/Compare_Deployments.ps1 diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 new file mode 100644 index 0000000000..920a4123f9 --- /dev/null +++ b/tests/Compare_Deployments.ps1 @@ -0,0 +1,125 @@ +# You will need `Install-Package Communary.PASM` +param( + [Parameter(Mandatory = $true, HelpMessage = "Name of the current SHM subscription")] + [string]$currentShmSubscription, + [Parameter(Mandatory = $true, HelpMessage = "Name of the new SHM subscription")] + [string]$newShmSubscription, + [Parameter(Mandatory = $false, HelpMessage = "Print verbose logging messages")] + [switch]$VerboseLogging = $false +) + +Import-Module Az +Import-Module Communary.PASM +Import-Module $PSScriptRoot/../common_powershell/Logging.psm1 -Force + +function Select-ClosestMatch { + param ( + [Parameter(Position = 0)][ValidateNotNullOrEmpty()] + [string] $Value, + [Parameter(Position = 1)][ValidateNotNullOrEmpty()] + [System.Array] $Array + ) + $Array | Sort-Object @{Expression={ Get-PasmScore -String1 $Value -String2 $_ -Algorithm "LevenshteinDistance" }; Ascending=$false} | Select-Object -First 1 +} + + +function Compare-NSGRules { + param ( + [Parameter()][ValidateNotNullOrEmpty()] + [System.Array] $CurrentRules, + [Parameter()][ValidateNotNullOrEmpty()] + [System.Array] $NewRules + ) + $nMatched = 0 + $unmatched = @() + $matchFound = $false + foreach ($currentRule in $CurrentRules) { + foreach ($newRule in $NewRules) { + if ( + ($currentRule.Protocol -eq $newRule.Protocol) -and + ([string]($currentRule.SourcePortRange) -eq [string]($newRule.SourcePortRange)) -and + ([string]($currentRule.DestinationPortRange) -eq [string]($newRule.DestinationPortRange)) -and + ([string]($currentRule.SourceAddressPrefix) -eq [string]($newRule.SourceAddressPrefix)) -and + ([string]($currentRule.DestinationAddressPrefix) -eq [string]($newRule.DestinationAddressPrefix)) -and + ($currentRule.Access -eq $newRule.Access) -and + ($currentRule.Priority -eq $newRule.Priority) -and + ($currentRule.Direction -eq $newRule.Direction) + ) { + $matchFound = $true + break + } + } + + if ($matchFound) { + $nMatched += 1 + if ($VerboseLogging) { Add-LogMessage -Level Info "Found matching rule for $($currentRule.Name)" } + } else { + Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" + $unmatched += $currentRule.Name + } + } + + $nTotal = $nMatched + $unmatched.Count + if ($nMatched -eq $nTotal) { + Add-LogMessage -Level Success "Matched $nMatched/$nTotal rules" + } else { + Add-LogMessage -Level Failure "Matched $nMatched/$nTotal rules" + } +} + +# Get original context before switching subscription +# -------------------------------------------------- +$originalContext = Get-AzContext + + +# Get VMs in current SHM +# ---------------------- +$_ = Set-AzContext -SubscriptionId $currentShmSubscription +$currentShmVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } +Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription" + +# Get VMs in new SHM +# ------------------ +$_ = Set-AzContext -SubscriptionId $newShmSubscription +$newShmVMs = Get-AzVM +Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription" + + +# Create a hash table which maps current SHM VMs to new ones +# ---------------------------------------------------------- +$vmHashTable = @{} +$newShmVMNames = $newShmVMs | ForEach-Object { $_.Name } + +foreach ($currentVM in $currentShmVMs) { + $newVM = $newShmVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $newShmVMNames -Value $currentVM.Name) } + $vmHashTable[$currentVM] = $newVM +} + +# Iterate over paired VMs checking their effective NSG rules +# ---------------------------------------------------------- +foreach ($currentVM in $currentShmVMs) { + $newVM = $vmHashTable[$currentVM] + + # Get existing rules + $_ = Set-AzContext -SubscriptionId $currentShmSubscription + $currentEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($currentVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $currentVM.ResourceGroupName + $currentRules = $currentEffectiveNSG.EffectiveSecurityRules + + # Get new rules + $_ = Set-AzContext -SubscriptionId $newShmSubscription + $newEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($newVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $newVM.ResourceGroupName + $newRules = $newEffectiveNSG.EffectiveSecurityRules + + # Check that each NSG rules has a matching equivalent (which might be named differently) + Add-LogMessage -Level Info "Comparing NSG rules for $($currentVM.Name) and $($newVM.Name)" + Add-LogMessage -Level Info "... ensuring that all $($currentVM.Name) rules exist on $($newVM.Name)" + Compare-NSGRules -CurrentRules $currentRules -NewRules $newRules + Add-LogMessage -Level Info "... ensuring that all $($newVM.Name) rules exist on $($currentVM.Name)" + Compare-NSGRules -CurrentRules $newRules -NewRules $currentRules +} + + + +# Switch back to original subscription +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext From bfe10addcc064c58b13d03f7f251831b3f88fc7a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 26 Feb 2020 15:09:23 +0000 Subject: [PATCH 02/16] Added internet connectivity check --- tests/Compare_Deployments.ps1 | 57 +++++++++++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 920a4123f9..16731f64be 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -67,6 +67,29 @@ function Compare-NSGRules { } } + +function Test-OutboundConnection { + param ( + [Parameter(Position = 0)][ValidateNotNullOrEmpty()] + [Microsoft.Azure.Commands.Compute.Models.PSVirtualMachine] $VM, + [Parameter(Position = 0)][ValidateNotNullOrEmpty()] + [string] $DestinationAddress, + [Parameter(Position = 1)][ValidateNotNullOrEmpty()] + [string] $DestinationPort + ) + $networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM.Location + if (-Not $networkWatcher) { + $networkWatcher = New-AzNetworkWatcher -Name "NetworkWatcher" -ResourceGroupName "NetworkWatcherRG" -Location $VM.Location + } + Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Name "AzureNetworkWatcherExtension" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue + if ($NotInstalled) { + Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" + } + return Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort +} + + + # Get original context before switching subscription # -------------------------------------------------- $originalContext = Get-AzContext @@ -77,13 +100,18 @@ $originalContext = Get-AzContext $_ = Set-AzContext -SubscriptionId $currentShmSubscription $currentShmVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription" +foreach ($VM in $currentShmVMs) { + Add-LogMessage -Level Info ".. $($VM.Name)" +} # Get VMs in new SHM # ------------------ $_ = Set-AzContext -SubscriptionId $newShmSubscription $newShmVMs = Get-AzVM Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription" - +foreach ($VM in $newShmVMs) { + Add-LogMessage -Level Info ".. $($VM.Name)" +} # Create a hash table which maps current SHM VMs to new ones # ---------------------------------------------------------- @@ -95,27 +123,44 @@ foreach ($currentVM in $currentShmVMs) { $vmHashTable[$currentVM] = $newVM } -# Iterate over paired VMs checking their effective NSG rules -# ---------------------------------------------------------- +# Iterate over paired VMs checking their network settings +# ------------------------------------------------------- foreach ($currentVM in $currentShmVMs) { $newVM = $vmHashTable[$currentVM] - # Get existing rules + # Get parameters for current VM + # ----------------------------- $_ = Set-AzContext -SubscriptionId $currentShmSubscription + # NSG rules $currentEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($currentVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $currentVM.ResourceGroupName $currentRules = $currentEffectiveNSG.EffectiveSecurityRules + # Internet out + $currentInternetCheck = Test-OutboundConnection -VM $currentVM -DestinationAddress "google.com" -DestinationPort 80 - # Get new rules + # Get parameters for new VM + # ------------------------- $_ = Set-AzContext -SubscriptionId $newShmSubscription + # NSG rules $newEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($newVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $newVM.ResourceGroupName $newRules = $newEffectiveNSG.EffectiveSecurityRules + # Internet out + $newInternetCheck = Test-OutboundConnection -VM $newVM -DestinationAddress "google.com" -DestinationPort 80 - # Check that each NSG rules has a matching equivalent (which might be named differently) + # Check that each NSG rule has a matching equivalent (which might be named differently) Add-LogMessage -Level Info "Comparing NSG rules for $($currentVM.Name) and $($newVM.Name)" Add-LogMessage -Level Info "... ensuring that all $($currentVM.Name) rules exist on $($newVM.Name)" Compare-NSGRules -CurrentRules $currentRules -NewRules $newRules Add-LogMessage -Level Info "... ensuring that all $($newVM.Name) rules exist on $($currentVM.Name)" Compare-NSGRules -CurrentRules $newRules -NewRules $currentRules + + # Check that internet connectivity is the same for matched VMs + Add-LogMessage -Level Info "Comparing internet connectivity for $($currentVM.Name) and $($newVM.Name)..." + if ($currentInternetCheck.ConnectionStatus -eq $newInternetCheck.ConnectionStatus) { + Add-LogMessage -Level Success "... the internet is '$($currentInternetCheck.ConnectionStatus)' from both" + } else { + Add-LogMessage -Level Failure "... the internet is '$($currentInternetCheck.ConnectionStatus)' from $($currentVM.Name)" + Add-LogMessage -Level Failure "... the internet is '$($newInternetCheck.ConnectionStatus)' from $($newVM.Name)" + } } From 482187e6c3807fa500033712eb521e6ff4f940a4 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 26 Feb 2020 15:44:07 +0000 Subject: [PATCH 03/16] Genericise subscription names --- tests/Compare_Deployments.ps1 | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 16731f64be..3963a71b3d 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -1,9 +1,9 @@ # You will need `Install-Package Communary.PASM` param( - [Parameter(Mandatory = $true, HelpMessage = "Name of the current SHM subscription")] - [string]$currentShmSubscription, - [Parameter(Mandatory = $true, HelpMessage = "Name of the new SHM subscription")] - [string]$newShmSubscription, + [Parameter(Mandatory = $true, HelpMessage = "Name of the current (working) subscription")] + [string]$currentSubscription, + [Parameter(Mandatory = $true, HelpMessage = "Name of the new (proposed) subscription")] + [string]$newSubscription, [Parameter(Mandatory = $false, HelpMessage = "Print verbose logging messages")] [switch]$VerboseLogging = $false ) @@ -97,18 +97,18 @@ $originalContext = Get-AzContext # Get VMs in current SHM # ---------------------- -$_ = Set-AzContext -SubscriptionId $currentShmSubscription +$_ = Set-AzContext -SubscriptionId $currentSubscription $currentShmVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } -Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription" +Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription: '$currentSubscription'" foreach ($VM in $currentShmVMs) { Add-LogMessage -Level Info ".. $($VM.Name)" } # Get VMs in new SHM # ------------------ -$_ = Set-AzContext -SubscriptionId $newShmSubscription +$_ = Set-AzContext -SubscriptionId $newSubscription $newShmVMs = Get-AzVM -Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription" +Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription: '$newSubscription'" foreach ($VM in $newShmVMs) { Add-LogMessage -Level Info ".. $($VM.Name)" } @@ -130,7 +130,7 @@ foreach ($currentVM in $currentShmVMs) { # Get parameters for current VM # ----------------------------- - $_ = Set-AzContext -SubscriptionId $currentShmSubscription + $_ = Set-AzContext -SubscriptionId $currentSubscription # NSG rules $currentEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($currentVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $currentVM.ResourceGroupName $currentRules = $currentEffectiveNSG.EffectiveSecurityRules @@ -139,7 +139,7 @@ foreach ($currentVM in $currentShmVMs) { # Get parameters for new VM # ------------------------- - $_ = Set-AzContext -SubscriptionId $newShmSubscription + $_ = Set-AzContext -SubscriptionId $newSubscription # NSG rules $newEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($newVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $newVM.ResourceGroupName $newRules = $newEffectiveNSG.EffectiveSecurityRules @@ -164,7 +164,6 @@ foreach ($currentVM in $currentShmVMs) { } - # Switch back to original subscription # ------------------------------------ $_ = Set-AzContext -Context $originalContext From 4481748788ce028757bbccb6fed0e6c093147243 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 26 Feb 2020 20:12:09 +0000 Subject: [PATCH 04/16] Improved rule checking --- tests/Compare_Deployments.ps1 | 97 ++++++++++++++++++++++++++++------- 1 file changed, 78 insertions(+), 19 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 3963a71b3d..6685c60a92 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -56,6 +56,11 @@ function Compare-NSGRules { } else { Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" $unmatched += $currentRule.Name + Write-Host "currentRule: $($currentRule | Out-String)" + foreach ($newRule in $NewRules) { + Write-Host " newRule: $($newRule | Out-String)" + } + } } @@ -81,13 +86,66 @@ function Test-OutboundConnection { if (-Not $networkWatcher) { $networkWatcher = New-AzNetworkWatcher -Name "NetworkWatcher" -ResourceGroupName "NetworkWatcherRG" -Location $VM.Location } - Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Name "AzureNetworkWatcherExtension" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue - if ($NotInstalled) { - Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" + $networkWatcherExtension = Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name | Where-Object { $_.Publisher -eq "Microsoft.Azure.NetworkWatcher" } + if (-Not $networkWatcherExtension) { + Add-LogMessage -Level Info "... attempting to register the AzureNetworkWatcherExtension on $($VM.Name). This may take some time." + $_ = Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue + if ($NotInstalled) { + return "Unknown" + } + } + Add-LogMessage -Level Info "... testing connectivity" + $networkCheck = Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort -ErrorVariable NotAvailable -ErrorAction SilentlyContinue + if ($NotAvailable) { + return "Unknown" + } else { + return $networkCheck.ConnectionStatus } - return Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort } +function Get-NSGRules { + param ( + [Parameter(Position = 0)][ValidateNotNullOrEmpty()] + [Microsoft.Azure.Commands.Compute.Models.PSVirtualMachine] $VM + ) + $effectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($VM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $VM.ResourceGroupName -ErrorVariable NotAvailable -ErrorAction SilentlyContinue + if ($NotAvailable) { + # Not able to get effective rules so we'll construct them by hand + # Get rules from NSG directly attached to the NIC + $nic = Get-AzNetworkInterface | Where-Object { $_.Id -eq $VM.NetworkProfile.NetworkInterfaces.Id } + $directRules = $nic.NetworkSecurityGroup.SecurityRules + $nic.NetworkSecurityGroup.DefaultSecurityRules + # Get rules from NSG attached to the subnet + $nsg = Get-AzNetworkSecurityGroup | Where-Object { $_.Subnets.Id -eq $nic.IpConfigurations.Subnet.Id } + $effectiveRules = @() + # Convert each PSSecurityRule into a PSEffectiveSecurityRule + foreach ($rule in ($directRules + $nsg.SecurityRules + $nsg.DefaultSecurityRules)) { + $effectiveRule = [Microsoft.Azure.Commands.Network.Models.PSEffectiveSecurityRule]::new() + $effectiveRule.Name = $rule.Name + $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") + # Source port range + $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] + if ($rule.SourcePortRange[0] -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535") } + # elseif ($rule.SourcePortRange.Count -eq "1") { $effectiveRule.SourcePortRange.Add("$($rule.SourcePortRange[0])-$($rule.SourcePortRange[0])") } + elseif (-Not $rule.SourcePortRange.Contains("-")) { $effectiveRule.SourcePortRange.Add("$($rule.SourcePortRange[0])-$($rule.SourcePortRange[0])") } + else { $effectiveRule.SourcePortRange = $rule.SourcePortRange } + # Destination port range + $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] + if ($rule.DestinationPortRange[0] -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535") } + # elseif ($rule.DestinationPortRange.Count -eq "1") { $effectiveRule.DestinationPortRange.Add("$($rule.DestinationPortRange[0])-$($rule.DestinationPortRange[0])") } + elseif (-Not $rule.DestinationPortRange.Contains("-")) { $effectiveRule.DestinationPortRange.Add("$($rule.DestinationPortRange[0])-$($rule.DestinationPortRange[0])") } + else { $effectiveRule.DestinationPortRange = $rule.DestinationPortRange } + $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix + $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix + $effectiveRule.Access = $rule.Access + $effectiveRule.Priority = $rule.Priority + $effectiveRule.Direction = $rule.Direction + $effectiveRules = $effectiveRules + $effectiveRule + } + return $effectiveRules + } else { + return $effectiveNSG.EffectiveSecurityRules + } +} # Get original context before switching subscription @@ -116,11 +174,16 @@ foreach ($VM in $newShmVMs) { # Create a hash table which maps current SHM VMs to new ones # ---------------------------------------------------------- $vmHashTable = @{} -$newShmVMNames = $newShmVMs | ForEach-Object { $_.Name } - foreach ($currentVM in $currentShmVMs) { - $newVM = $newShmVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $newShmVMNames -Value $currentVM.Name) } + $nameToCheck = $currentVM.Name + # Override matches for names that would otherwise fail + if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE")} + if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE")} + # Only match against names that have not been matched yet + $newShmVMNames = $newShmVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } + $newVM = $newShmVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $newShmVMNames -Value $nameToCheck) } $vmHashTable[$currentVM] = $newVM + Add-LogMessage -Level Info "matched $($currentVM.Name) => $($newVM.Name)" } # Iterate over paired VMs checking their network settings @@ -131,19 +194,15 @@ foreach ($currentVM in $currentShmVMs) { # Get parameters for current VM # ----------------------------- $_ = Set-AzContext -SubscriptionId $currentSubscription - # NSG rules - $currentEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($currentVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $currentVM.ResourceGroupName - $currentRules = $currentEffectiveNSG.EffectiveSecurityRules - # Internet out + Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($currentVM.Name)" + $currentRules = Get-NSGRules -VM $currentVM $currentInternetCheck = Test-OutboundConnection -VM $currentVM -DestinationAddress "google.com" -DestinationPort 80 # Get parameters for new VM # ------------------------- $_ = Set-AzContext -SubscriptionId $newSubscription - # NSG rules - $newEffectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($newVM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $newVM.ResourceGroupName - $newRules = $newEffectiveNSG.EffectiveSecurityRules - # Internet out + Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($newVM.Name)" + $newRules = Get-NSGRules -VM $newVM $newInternetCheck = Test-OutboundConnection -VM $newVM -DestinationAddress "google.com" -DestinationPort 80 # Check that each NSG rule has a matching equivalent (which might be named differently) @@ -155,11 +214,11 @@ foreach ($currentVM in $currentShmVMs) { # Check that internet connectivity is the same for matched VMs Add-LogMessage -Level Info "Comparing internet connectivity for $($currentVM.Name) and $($newVM.Name)..." - if ($currentInternetCheck.ConnectionStatus -eq $newInternetCheck.ConnectionStatus) { - Add-LogMessage -Level Success "... the internet is '$($currentInternetCheck.ConnectionStatus)' from both" + if ($currentInternetCheck -eq $newInternetCheck) { + Add-LogMessage -Level Success "... the internet is '$($currentInternetCheck)' from both" } else { - Add-LogMessage -Level Failure "... the internet is '$($currentInternetCheck.ConnectionStatus)' from $($currentVM.Name)" - Add-LogMessage -Level Failure "... the internet is '$($newInternetCheck.ConnectionStatus)' from $($newVM.Name)" + Add-LogMessage -Level Failure "... the internet is '$($currentInternetCheck)' from $($currentVM.Name)" + Add-LogMessage -Level Failure "... the internet is '$($newInternetCheck)' from $($newVM.Name)" } } From 285347309cd318251e5f79178cd0a881414c16c7 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 26 Feb 2020 23:02:06 +0000 Subject: [PATCH 05/16] Fixed matching logic --- tests/Compare_Deployments.ps1 | 68 ++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 6685c60a92..836c605c86 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -32,8 +32,8 @@ function Compare-NSGRules { ) $nMatched = 0 $unmatched = @() - $matchFound = $false foreach ($currentRule in $CurrentRules) { + $matchFound = $false foreach ($newRule in $NewRules) { if ( ($currentRule.Protocol -eq $newRule.Protocol) -and @@ -56,11 +56,10 @@ function Compare-NSGRules { } else { Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" $unmatched += $currentRule.Name - Write-Host "currentRule: $($currentRule | Out-String)" - foreach ($newRule in $NewRules) { - Write-Host " newRule: $($newRule | Out-String)" - } - + Add-LogMessage -Level Error "Existing rule:" + $currentRule | Out-String + Add-LogMessage -Level Error "New rule (if any) with same priority:" + $NewRules | Where-Object { ($_.Priority -eq $currentRule.Priority) -and ($_.Direction -eq $currentRule.Direction) } | Out-String } } @@ -124,18 +123,32 @@ function Get-NSGRules { $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") # Source port range $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] - if ($rule.SourcePortRange[0] -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535") } - # elseif ($rule.SourcePortRange.Count -eq "1") { $effectiveRule.SourcePortRange.Add("$($rule.SourcePortRange[0])-$($rule.SourcePortRange[0])") } - elseif (-Not $rule.SourcePortRange.Contains("-")) { $effectiveRule.SourcePortRange.Add("$($rule.SourcePortRange[0])-$($rule.SourcePortRange[0])") } - else { $effectiveRule.SourcePortRange = $rule.SourcePortRange } + if ($rule.SourcePortRange[0] -eq "*") { + $effectiveRule.SourcePortRange.Add("0-65535") + } else { + foreach ($port in $rule.SourcePortRange) { + if ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } + else { $effectiveRule.SourcePortRange.Add("$port-$port") } + } + } # Destination port range $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] - if ($rule.DestinationPortRange[0] -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535") } - # elseif ($rule.DestinationPortRange.Count -eq "1") { $effectiveRule.DestinationPortRange.Add("$($rule.DestinationPortRange[0])-$($rule.DestinationPortRange[0])") } - elseif (-Not $rule.DestinationPortRange.Contains("-")) { $effectiveRule.DestinationPortRange.Add("$($rule.DestinationPortRange[0])-$($rule.DestinationPortRange[0])") } - else { $effectiveRule.DestinationPortRange = $rule.DestinationPortRange } - $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix - $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix + if ($rule.DestinationPortRange[0] -eq "*") { + $effectiveRule.DestinationPortRange.Add("0-65535") + } else { + foreach ($port in $rule.DestinationPortRange) { + if ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } + else { $effectiveRule.DestinationPortRange.Add("$port-$port") } + } + } + # Source address prefix + $effectiveRule.SourceAddressPrefix = New-Object System.Collections.Generic.List[string] + if ($rule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*") } + else { $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix } + # Destination address prefix + $effectiveRule.DestinationAddressPrefix = New-Object System.Collections.Generic.List[string] + if ($rule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*") } + else { $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix } $effectiveRule.Access = $rule.Access $effectiveRule.Priority = $rule.Priority $effectiveRule.Direction = $rule.Direction @@ -143,7 +156,12 @@ function Get-NSGRules { } return $effectiveRules } else { - return $effectiveNSG.EffectiveSecurityRules + $effectiveRules = $effectiveNSG.EffectiveSecurityRules + foreach ($effectiveRule in $effectiveRules) { + if ($effectiveRule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Clear(); $effectiveRule.SourceAddressPrefix.Add("*") } + if ($effectiveRule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Clear(); $effectiveRule.DestinationAddressPrefix.Add("*") } + } + return $effectiveRules } } @@ -159,7 +177,7 @@ $_ = Set-AzContext -SubscriptionId $currentSubscription $currentShmVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription: '$currentSubscription'" foreach ($VM in $currentShmVMs) { - Add-LogMessage -Level Info ".. $($VM.Name)" + Add-LogMessage -Level Info "... $($VM.Name)" } # Get VMs in new SHM @@ -168,7 +186,7 @@ $_ = Set-AzContext -SubscriptionId $newSubscription $newShmVMs = Get-AzVM Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription: '$newSubscription'" foreach ($VM in $newShmVMs) { - Add-LogMessage -Level Info ".. $($VM.Name)" + Add-LogMessage -Level Info "... $($VM.Name)" } # Create a hash table which maps current SHM VMs to new ones @@ -177,8 +195,10 @@ $vmHashTable = @{} foreach ($currentVM in $currentShmVMs) { $nameToCheck = $currentVM.Name # Override matches for names that would otherwise fail - if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE")} - if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE")} + if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE") } + if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE") } + if ($nameToCheck.StartsWith("CRAN-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } + if ($nameToCheck.StartsWith("PYPI-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } # Only match against names that have not been matched yet $newShmVMNames = $newShmVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } $newVM = $newShmVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $newShmVMNames -Value $nameToCheck) } @@ -215,10 +235,10 @@ foreach ($currentVM in $currentShmVMs) { # Check that internet connectivity is the same for matched VMs Add-LogMessage -Level Info "Comparing internet connectivity for $($currentVM.Name) and $($newVM.Name)..." if ($currentInternetCheck -eq $newInternetCheck) { - Add-LogMessage -Level Success "... the internet is '$($currentInternetCheck)' from both" + Add-LogMessage -Level Success "The internet is '$($currentInternetCheck)' from both" } else { - Add-LogMessage -Level Failure "... the internet is '$($currentInternetCheck)' from $($currentVM.Name)" - Add-LogMessage -Level Failure "... the internet is '$($newInternetCheck)' from $($newVM.Name)" + Add-LogMessage -Level Failure "The internet is '$($currentInternetCheck)' from $($currentVM.Name)" + Add-LogMessage -Level Failure "The internet is '$($newInternetCheck)' from $($newVM.Name)" } } From 32664acae378da46b9435b9a8e2def91dfa509e5 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 27 Feb 2020 11:19:49 +0000 Subject: [PATCH 06/16] Updated NSG rule retrieval --- tests/Compare_Deployments.ps1 | 78 ++++++++++++++++++++++++----------- 1 file changed, 53 insertions(+), 25 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 836c605c86..0a3c373d25 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -56,9 +56,8 @@ function Compare-NSGRules { } else { Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" $unmatched += $currentRule.Name - Add-LogMessage -Level Error "Existing rule:" $currentRule | Out-String - Add-LogMessage -Level Error "New rule (if any) with same priority:" + Add-LogMessage -Level Error "Closest match:" $NewRules | Where-Object { ($_.Priority -eq $currentRule.Priority) -and ($_.Direction -eq $currentRule.Direction) } | Out-String } } @@ -85,17 +84,21 @@ function Test-OutboundConnection { if (-Not $networkWatcher) { $networkWatcher = New-AzNetworkWatcher -Name "NetworkWatcher" -ResourceGroupName "NetworkWatcherRG" -Location $VM.Location } - $networkWatcherExtension = Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name | Where-Object { $_.Publisher -eq "Microsoft.Azure.NetworkWatcher" } + $networkWatcherExtension = Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name | Where-Object { ($_.Publisher -eq "Microsoft.Azure.NetworkWatcher") -and ($_.ProvisioningState -eq "Succeeded") } if (-Not $networkWatcherExtension) { - Add-LogMessage -Level Info "... attempting to register the AzureNetworkWatcherExtension on $($VM.Name). This may take some time." + Add-LogMessage -Level Info "... attempting to register the Azure NetworkWatcher extension on $($VM.Name). This may take some time." $_ = Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue if ($NotInstalled) { + Add-LogMessage -Level Warning "Unable to register extension for $($VM.Name)" + Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" return "Unknown" } } Add-LogMessage -Level Info "... testing connectivity" $networkCheck = Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort -ErrorVariable NotAvailable -ErrorAction SilentlyContinue if ($NotAvailable) { + Add-LogMessage -Level Warning "Unable to test connection for $($VM.Name)" + Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort return "Unknown" } else { return $networkCheck.ConnectionStatus @@ -110,45 +113,70 @@ function Get-NSGRules { $effectiveNSG = Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName ($VM.NetworkProfile.NetworkInterfaces.Id -Split '/')[-1] -ResourceGroupName $VM.ResourceGroupName -ErrorVariable NotAvailable -ErrorAction SilentlyContinue if ($NotAvailable) { # Not able to get effective rules so we'll construct them by hand + $rules = @() # Get rules from NSG directly attached to the NIC $nic = Get-AzNetworkInterface | Where-Object { $_.Id -eq $VM.NetworkProfile.NetworkInterfaces.Id } - $directRules = $nic.NetworkSecurityGroup.SecurityRules + $nic.NetworkSecurityGroup.DefaultSecurityRules + $directNsgs = Get-AzNetworkSecurityGroup | Where-Object { $_.Id -eq $nic.NetworkSecurityGroup.Id } + foreach ($directNsg in $directNsgs) { + $rules = $rules + $directNsg.SecurityRules + $directNsg.DefaultSecurityRules + } # Get rules from NSG attached to the subnet - $nsg = Get-AzNetworkSecurityGroup | Where-Object { $_.Subnets.Id -eq $nic.IpConfigurations.Subnet.Id } + $subnetNsgs = Get-AzNetworkSecurityGroup | Where-Object { $_.Subnets.Id -eq $nic.IpConfigurations.Subnet.Id } + foreach ($subnetNsg in $subnetNsgs) { + $rules = $rules + $subnetNsg.SecurityRules + $subnetNsg.DefaultSecurityRules + } $effectiveRules = @() # Convert each PSSecurityRule into a PSEffectiveSecurityRule - foreach ($rule in ($directRules + $nsg.SecurityRules + $nsg.DefaultSecurityRules)) { + foreach ($rule in $rules) { $effectiveRule = [Microsoft.Azure.Commands.Network.Models.PSEffectiveSecurityRule]::new() $effectiveRule.Name = $rule.Name $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") # Source port range $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] - if ($rule.SourcePortRange[0] -eq "*") { - $effectiveRule.SourcePortRange.Add("0-65535") - } else { - foreach ($port in $rule.SourcePortRange) { - if ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } - else { $effectiveRule.SourcePortRange.Add("$port-$port") } - } + # if (($rule.SourcePortRange.Count -eq 1) -and ($rule.SourcePortRange[0] -eq "*")) { + # $effectiveRule.SourcePortRange.Add("0-65535") + # } else { + # foreach ($port in $rule.SourcePortRange) { + # if ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } + # else { $effectiveRule.SourcePortRange.Add("$port-$port") } + # } + # } + foreach ($port in $rule.SourcePortRange) { + if ($port -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535"); break } + elseif ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } + else { $effectiveRule.SourcePortRange.Add("$port-$port") } } # Destination port range $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] - if ($rule.DestinationPortRange[0] -eq "*") { - $effectiveRule.DestinationPortRange.Add("0-65535") - } else { - foreach ($port in $rule.DestinationPortRange) { - if ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } - else { $effectiveRule.DestinationPortRange.Add("$port-$port") } - } + # if (($rule.DestinationPortRange.Count -eq 1) -and ($rule.DestinationPortRange[0] -eq "*")) { + # $effectiveRule.DestinationPortRange.Add("0-65535") + # } else { + # foreach ($port in $rule.DestinationPortRange) { + # if ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } + # else { $effectiveRule.DestinationPortRange.Add("$port-$port") } + # } + # } + foreach ($port in $rule.DestinationPortRange) { + if ($port -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535"); break } + elseif ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } + else { $effectiveRule.DestinationPortRange.Add("$port-$port") } } # Source address prefix $effectiveRule.SourceAddressPrefix = New-Object System.Collections.Generic.List[string] - if ($rule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*") } - else { $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix } + # if ($rule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*") } + # else { $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix } + foreach ($prefix in $rule.SourceAddressPrefix) { + if ($prefix -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*"); break } + else { $effectiveRule.SourceAddressPrefix.Add($rule.SourceAddressPrefix) } + } # Destination address prefix $effectiveRule.DestinationAddressPrefix = New-Object System.Collections.Generic.List[string] - if ($rule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*") } - else { $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix } + # if ($rule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*") } + # else { $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix } + foreach ($prefix in $rule.DestinationAddressPrefix) { + if ($prefix -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*"); break } + else { $effectiveRule.DestinationAddressPrefix.Add($rule.DestinationAddressPrefix) } + } $effectiveRule.Access = $rule.Access $effectiveRule.Priority = $rule.Priority $effectiveRule.Direction = $rule.Direction From 7e4995540eb9de1af653572232a7deb1deff99e9 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 28 Feb 2020 10:00:34 +0000 Subject: [PATCH 07/16] Use correct OS-dependent network watcher --- tests/Compare_Deployments.ps1 | 51 +++++++++++++++-------------------- 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 0a3c373d25..efa3dd71d9 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -25,9 +25,9 @@ function Select-ClosestMatch { function Compare-NSGRules { param ( - [Parameter()][ValidateNotNullOrEmpty()] + [Parameter()] [System.Array] $CurrentRules, - [Parameter()][ValidateNotNullOrEmpty()] + [Parameter()] [System.Array] $NewRules ) $nMatched = 0 @@ -57,7 +57,7 @@ function Compare-NSGRules { Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" $unmatched += $currentRule.Name $currentRule | Out-String - Add-LogMessage -Level Error "Closest match:" + Add-LogMessage -Level Info "Closest match was:" $NewRules | Where-Object { ($_.Priority -eq $currentRule.Priority) -and ($_.Direction -eq $currentRule.Direction) } | Out-String } } @@ -80,25 +80,36 @@ function Test-OutboundConnection { [Parameter(Position = 1)][ValidateNotNullOrEmpty()] [string] $DestinationPort ) + # Get the network watcher, creating a new one if required $networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM.Location if (-Not $networkWatcher) { $networkWatcher = New-AzNetworkWatcher -Name "NetworkWatcher" -ResourceGroupName "NetworkWatcherRG" -Location $VM.Location } + # Ensure that the VM has the extension installed (if we have permissions for this) $networkWatcherExtension = Get-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name | Where-Object { ($_.Publisher -eq "Microsoft.Azure.NetworkWatcher") -and ($_.ProvisioningState -eq "Succeeded") } if (-Not $networkWatcherExtension) { - Add-LogMessage -Level Info "... attempting to register the Azure NetworkWatcher extension on $($VM.Name). This may take some time." - $_ = Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue - if ($NotInstalled) { - Add-LogMessage -Level Warning "Unable to register extension for $($VM.Name)" - Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "networkWatcherAgent" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" - return "Unknown" + Add-LogMessage -Level Info "... registering the Azure NetworkWatcher extension on $($VM.Name). " + # Add the Windows extension + if ($VM.OSProfile.WindowsConfiguration) { + $_ = Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -TypeHandlerVersion "1.4" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue + if ($NotInstalled) { + Add-LogMessage -Level Warning "Unable to register Windows network watcher extension for $($VM.Name)" + return "Unknown" + } + } + # Add the Linux extension + if ($VM.OSProfile.LinuxConfiguration) { + $_ = Set-AzVMExtension -ResourceGroupName $VM.ResourceGroupName -VMName $VM.Name -Location $VM.Location -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentLinux" -TypeHandlerVersion "1.4" -ErrorVariable NotInstalled -ErrorAction SilentlyContinue + if ($NotInstalled) { + Add-LogMessage -Level Warning "Unable to register Linux network watcher extension for $($VM.Name)" + return "Unknown" + } } } Add-LogMessage -Level Info "... testing connectivity" $networkCheck = Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort -ErrorVariable NotAvailable -ErrorAction SilentlyContinue if ($NotAvailable) { Add-LogMessage -Level Warning "Unable to test connection for $($VM.Name)" - Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort return "Unknown" } else { return $networkCheck.ConnectionStatus @@ -133,14 +144,6 @@ function Get-NSGRules { $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") # Source port range $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] - # if (($rule.SourcePortRange.Count -eq 1) -and ($rule.SourcePortRange[0] -eq "*")) { - # $effectiveRule.SourcePortRange.Add("0-65535") - # } else { - # foreach ($port in $rule.SourcePortRange) { - # if ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } - # else { $effectiveRule.SourcePortRange.Add("$port-$port") } - # } - # } foreach ($port in $rule.SourcePortRange) { if ($port -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535"); break } elseif ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } @@ -148,14 +151,6 @@ function Get-NSGRules { } # Destination port range $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] - # if (($rule.DestinationPortRange.Count -eq 1) -and ($rule.DestinationPortRange[0] -eq "*")) { - # $effectiveRule.DestinationPortRange.Add("0-65535") - # } else { - # foreach ($port in $rule.DestinationPortRange) { - # if ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } - # else { $effectiveRule.DestinationPortRange.Add("$port-$port") } - # } - # } foreach ($port in $rule.DestinationPortRange) { if ($port -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535"); break } elseif ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } @@ -163,16 +158,12 @@ function Get-NSGRules { } # Source address prefix $effectiveRule.SourceAddressPrefix = New-Object System.Collections.Generic.List[string] - # if ($rule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*") } - # else { $effectiveRule.SourceAddressPrefix = $rule.SourceAddressPrefix } foreach ($prefix in $rule.SourceAddressPrefix) { if ($prefix -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*"); break } else { $effectiveRule.SourceAddressPrefix.Add($rule.SourceAddressPrefix) } } # Destination address prefix $effectiveRule.DestinationAddressPrefix = New-Object System.Collections.Generic.List[string] - # if ($rule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*") } - # else { $effectiveRule.DestinationAddressPrefix = $rule.DestinationAddressPrefix } foreach ($prefix in $rule.DestinationAddressPrefix) { if ($prefix -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*"); break } else { $effectiveRule.DestinationAddressPrefix.Add($rule.DestinationAddressPrefix) } From f17311fb09450c7449d17e942b5a5e3ded2de41a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 28 Feb 2020 14:29:24 +0000 Subject: [PATCH 08/16] Updated matching rule --- tests/Compare_Deployments.ps1 | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index efa3dd71d9..e8008b4efb 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -33,24 +33,26 @@ function Compare-NSGRules { $nMatched = 0 $unmatched = @() foreach ($currentRule in $CurrentRules) { - $matchFound = $false + $lowestDifference = 99 + $closestMatchingRule = $null foreach ($newRule in $NewRules) { - if ( - ($currentRule.Protocol -eq $newRule.Protocol) -and - ([string]($currentRule.SourcePortRange) -eq [string]($newRule.SourcePortRange)) -and - ([string]($currentRule.DestinationPortRange) -eq [string]($newRule.DestinationPortRange)) -and - ([string]($currentRule.SourceAddressPrefix) -eq [string]($newRule.SourceAddressPrefix)) -and - ([string]($currentRule.DestinationAddressPrefix) -eq [string]($newRule.DestinationAddressPrefix)) -and - ($currentRule.Access -eq $newRule.Access) -and - ($currentRule.Priority -eq $newRule.Priority) -and - ($currentRule.Direction -eq $newRule.Direction) - ) { - $matchFound = $true - break + $difference = 0 + if ($currentRule.Protocol -ne $newRule.Protocol) { $difference += 1 } + if ([string]($currentRule.SourcePortRange) -ne [string]($newRule.SourcePortRange)) { $difference += 1 } + if ([string]($currentRule.DestinationPortRange) -ne [string]($newRule.DestinationPortRange)) { $difference += 1 } + if ([string]($currentRule.SourceAddressPrefix) -ne [string]($newRule.SourceAddressPrefix)) { $difference += 1 } + if ([string]($currentRule.DestinationAddressPrefix) -ne [string]($newRule.DestinationAddressPrefix)) { $difference += 1 } + if ($currentRule.Access -ne $newRule.Access) { $difference += 1 } + if ($currentRule.Priority -ne $newRule.Priority) { $difference += 1 } + if ($currentRule.Direction -ne $newRule.Direction) { $difference += 1 } + if ($difference -lt $lowestDifference) { + $lowestDifference = $difference + $closestMatchingRule = $newRule } + if ($difference -eq 0) { break } } - if ($matchFound) { + if ($lowestDifference -eq 0) { $nMatched += 1 if ($VerboseLogging) { Add-LogMessage -Level Info "Found matching rule for $($currentRule.Name)" } } else { @@ -58,7 +60,7 @@ function Compare-NSGRules { $unmatched += $currentRule.Name $currentRule | Out-String Add-LogMessage -Level Info "Closest match was:" - $NewRules | Where-Object { ($_.Priority -eq $currentRule.Priority) -and ($_.Direction -eq $currentRule.Direction) } | Out-String + $closestMatchingRule | Out-String } } From 7b3cd3ba77c92ff8a19dcd81840ec521b7facd0b Mon Sep 17 00:00:00 2001 From: James Robinson Date: Mon, 2 Mar 2020 16:58:19 +0000 Subject: [PATCH 09/16] Added ability to read/write configs to/from JSON file. Added two sample JSON files. --- tests/Compare_Deployments.ps1 | 241 +-- tests/benchmark_shm.json | 2834 +++++++++++++++++++++++++++++++++ tests/benchmark_sre.json | 1214 ++++++++++++++ 3 files changed, 4190 insertions(+), 99 deletions(-) create mode 100644 tests/benchmark_shm.json create mode 100644 tests/benchmark_sre.json diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index e8008b4efb..b108785018 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -1,9 +1,11 @@ # You will need `Install-Package Communary.PASM` param( - [Parameter(Mandatory = $true, HelpMessage = "Name of the current (working) subscription")] - [string]$currentSubscription, - [Parameter(Mandatory = $true, HelpMessage = "Name of the new (proposed) subscription")] - [string]$newSubscription, + [Parameter(Mandatory = $true, HelpMessage = "Name of the test (proposed) subscription")] + [string]$Subscription, + [Parameter(ParameterSetName="BenchmarkSubscription", Mandatory = $true, HelpMessage = "Name of the benchmark subscription to compare against")] + [string]$BenchmarkSubscription, + [Parameter(ParameterSetName="BenchmarkConfig", Mandatory = $true, HelpMessage = "Path to the benchmark config to compare against")] + [string]$BenchmarkConfig, [Parameter(Mandatory = $false, HelpMessage = "Print verbose logging messages")] [switch]$VerboseLogging = $false ) @@ -26,39 +28,39 @@ function Select-ClosestMatch { function Compare-NSGRules { param ( [Parameter()] - [System.Array] $CurrentRules, + [System.Array] $BenchmarkRules, [Parameter()] - [System.Array] $NewRules + [System.Array] $TestRules ) $nMatched = 0 $unmatched = @() - foreach ($currentRule in $CurrentRules) { + foreach ($benchmarkRule in $BenchmarkRules) { $lowestDifference = 99 $closestMatchingRule = $null - foreach ($newRule in $NewRules) { + foreach ($testRule in $TestRules) { $difference = 0 - if ($currentRule.Protocol -ne $newRule.Protocol) { $difference += 1 } - if ([string]($currentRule.SourcePortRange) -ne [string]($newRule.SourcePortRange)) { $difference += 1 } - if ([string]($currentRule.DestinationPortRange) -ne [string]($newRule.DestinationPortRange)) { $difference += 1 } - if ([string]($currentRule.SourceAddressPrefix) -ne [string]($newRule.SourceAddressPrefix)) { $difference += 1 } - if ([string]($currentRule.DestinationAddressPrefix) -ne [string]($newRule.DestinationAddressPrefix)) { $difference += 1 } - if ($currentRule.Access -ne $newRule.Access) { $difference += 1 } - if ($currentRule.Priority -ne $newRule.Priority) { $difference += 1 } - if ($currentRule.Direction -ne $newRule.Direction) { $difference += 1 } + if ($benchmarkRule.Protocol -ne $testRule.Protocol) { $difference += 1 } + if ([string]($benchmarkRule.SourcePortRange) -ne [string]($testRule.SourcePortRange)) { $difference += 1 } + if ([string]($benchmarkRule.DestinationPortRange) -ne [string]($testRule.DestinationPortRange)) { $difference += 1 } + if ([string]($benchmarkRule.SourceAddressPrefix) -ne [string]($testRule.SourceAddressPrefix)) { $difference += 1 } + if ([string]($benchmarkRule.DestinationAddressPrefix) -ne [string]($testRule.DestinationAddressPrefix)) { $difference += 1 } + if ($benchmarkRule.Access -ne $testRule.Access) { $difference += 1 } + if ($benchmarkRule.Priority -ne $testRule.Priority) { $difference += 1 } + if ($benchmarkRule.Direction -ne $testRule.Direction) { $difference += 1 } if ($difference -lt $lowestDifference) { $lowestDifference = $difference - $closestMatchingRule = $newRule + $closestMatchingRule = $testRule } if ($difference -eq 0) { break } } if ($lowestDifference -eq 0) { $nMatched += 1 - if ($VerboseLogging) { Add-LogMessage -Level Info "Found matching rule for $($currentRule.Name)" } + if ($VerboseLogging) { Add-LogMessage -Level Info "Found matching rule for $($benchmarkRule.Name)" } } else { - Add-LogMessage -Level Error "Could not find matching rule for $($currentRule.Name)" - $unmatched += $currentRule.Name - $currentRule | Out-String + Add-LogMessage -Level Error "Could not find matching rule for $($benchmarkRule.Name)" + $unmatched += $benchmarkRule.Name + $benchmarkRule | Out-String Add-LogMessage -Level Info "Closest match was:" $closestMatchingRule | Out-String } @@ -118,6 +120,47 @@ function Test-OutboundConnection { } } +function Convert-RuleToEffectiveRule { + param ( + [Parameter(Position = 0)][ValidateNotNullOrEmpty()] + [System.Object] $rule + ) + $effectiveRule = [Microsoft.Azure.Commands.Network.Models.PSEffectiveSecurityRule]::new() + $effectiveRule.Name = $rule.Name + $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") + # Source port range + $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] + foreach ($port in $rule.SourcePortRange) { + if ($port -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535"); break } + elseif ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } + else { $effectiveRule.SourcePortRange.Add("$port-$port") } + } + # Destination port range + $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] + foreach ($port in $rule.DestinationPortRange) { + if ($port -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535"); break } + elseif ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } + else { $effectiveRule.DestinationPortRange.Add("$port-$port") } + } + # Source address prefix + $effectiveRule.SourceAddressPrefix = New-Object System.Collections.Generic.List[string] + foreach ($prefix in $rule.SourceAddressPrefix) { + if ($prefix -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*"); break } + else { $effectiveRule.SourceAddressPrefix.Add($rule.SourceAddressPrefix) } + } + # Destination address prefix + $effectiveRule.DestinationAddressPrefix = New-Object System.Collections.Generic.List[string] + foreach ($prefix in $rule.DestinationAddressPrefix) { + if ($prefix -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*"); break } + else { $effectiveRule.DestinationAddressPrefix.Add($rule.DestinationAddressPrefix) } + } + $effectiveRule.Access = $rule.Access + $effectiveRule.Priority = $rule.Priority + $effectiveRule.Direction = $rule.Direction + return $effectiveRule +} + + function Get-NSGRules { param ( [Parameter(Position = 0)][ValidateNotNullOrEmpty()] @@ -141,39 +184,7 @@ function Get-NSGRules { $effectiveRules = @() # Convert each PSSecurityRule into a PSEffectiveSecurityRule foreach ($rule in $rules) { - $effectiveRule = [Microsoft.Azure.Commands.Network.Models.PSEffectiveSecurityRule]::new() - $effectiveRule.Name = $rule.Name - $effectiveRule.Protocol = $rule.Protocol.Replace("*", "All") - # Source port range - $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] - foreach ($port in $rule.SourcePortRange) { - if ($port -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535"); break } - elseif ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } - else { $effectiveRule.SourcePortRange.Add("$port-$port") } - } - # Destination port range - $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] - foreach ($port in $rule.DestinationPortRange) { - if ($port -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535"); break } - elseif ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } - else { $effectiveRule.DestinationPortRange.Add("$port-$port") } - } - # Source address prefix - $effectiveRule.SourceAddressPrefix = New-Object System.Collections.Generic.List[string] - foreach ($prefix in $rule.SourceAddressPrefix) { - if ($prefix -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Add("*"); break } - else { $effectiveRule.SourceAddressPrefix.Add($rule.SourceAddressPrefix) } - } - # Destination address prefix - $effectiveRule.DestinationAddressPrefix = New-Object System.Collections.Generic.List[string] - foreach ($prefix in $rule.DestinationAddressPrefix) { - if ($prefix -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Add("*"); break } - else { $effectiveRule.DestinationAddressPrefix.Add($rule.DestinationAddressPrefix) } - } - $effectiveRule.Access = $rule.Access - $effectiveRule.Priority = $rule.Priority - $effectiveRule.Direction = $rule.Direction - $effectiveRules = $effectiveRules + $effectiveRule + $effectiveRules = $effectiveRules + $(Convert-RuleToEffectiveRule $rule) #$effectiveRule } return $effectiveRules } else { @@ -192,74 +203,106 @@ function Get-NSGRules { $originalContext = Get-AzContext -# Get VMs in current SHM -# ---------------------- -$_ = Set-AzContext -SubscriptionId $currentSubscription -$currentShmVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } -Add-LogMessage -Level Info "Found $($currentShmVMs.Count) VMs in current subscription: '$currentSubscription'" -foreach ($VM in $currentShmVMs) { - Add-LogMessage -Level Info "... $($VM.Name)" +# Load configuration from a benchmark subscription or config +# ---------------------------------------------------------- +if ($BenchmarkSubscription) { + $JsonConfig = [ordered]@{} + # Get VMs in current subscription + $_ = Set-AzContext -SubscriptionId $BenchmarkSubscription + $benchmarkVMs = Get-AzVM | Where-Object { $_.Name -NotLike "*shm-deploy*" } + Add-LogMessage -Level Info "Found $($benchmarkVMs.Count) VMs in subscription: '$BenchmarkSubscription'" + foreach ($VM in $benchmarkVMs) { + Add-LogMessage -Level Info "... $($VM.Name)" + } + # Get the NSG rules and connectivity for each VM in the subscription + foreach ($benchmarkVM in $benchmarkVMs) { + Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($VM.Name)" + $DestinationPort = 80 + if ($VM.Name.Contains("MIRROR")) { $DestinationPort = 443 } + $JsonConfig[$benchmarkVM.Name] = [ordered]@{ + Internet = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 80 + Rules = Get-NSGRules -VM $benchmarkVM + } + } + $OutputFile = New-TemporaryFile + Out-File -FilePath $OutputFile -Encoding "UTF8" -InputObject ($JsonConfig | ConvertTo-Json -Depth 10) + Add-LogMessage -Level Info "Configuration file generated at '$($OutputFile.FullName)'" +} elseif ($BenchmarkConfig) { + $JsonConfig = Get-Content -Path $BenchmarkConfig -Raw -Encoding UTF-8 | ConvertFrom-Json +} + + +# Deserialise VMs from JSON config +# -------------------------------- +$benchmarkVMs = @() +foreach ($JsonVm in $JsonConfig.PSObject.Properties) { + $VM = New-Object -TypeName PsObject + $VM | Add-Member -MemberType NoteProperty -Name Name -Value $JsonVm.Name + $VM | Add-Member -MemberType NoteProperty -Name Internet -Value $JsonVm.PSObject.Properties.Value.Internet + $VM | Add-Member -MemberType NoteProperty -Name Rules -Value @() + foreach ($rule in $JsonVm.PSObject.Properties.Value.Rules) { + if ($rule.Name) { $VM.Rules += $(Convert-RuleToEffectiveRule $rule) } + } + $benchmarkVMs += $VM } -# Get VMs in new SHM -# ------------------ -$_ = Set-AzContext -SubscriptionId $newSubscription -$newShmVMs = Get-AzVM -Add-LogMessage -Level Info "Found $($newShmVMs.Count) VMs in new subscription: '$newSubscription'" -foreach ($VM in $newShmVMs) { + +# Get VMs in test SHM +# ------------------- +$_ = Set-AzContext -SubscriptionId $Subscription +$testVMs = Get-AzVM +Add-LogMessage -Level Info "Found $($testVMs.Count) VMs in subscription: '$Subscription'" +foreach ($VM in $testVMs) { Add-LogMessage -Level Info "... $($VM.Name)" } + # Create a hash table which maps current SHM VMs to new ones # ---------------------------------------------------------- $vmHashTable = @{} -foreach ($currentVM in $currentShmVMs) { - $nameToCheck = $currentVM.Name +foreach ($benchmarkVM in $benchmarkVMs) { + $nameToCheck = $benchmarkVM.Name # Override matches for names that would otherwise fail - if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE") } - if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE") } if ($nameToCheck.StartsWith("CRAN-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } if ($nameToCheck.StartsWith("PYPI-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } + if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE") } + if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE") } # Only match against names that have not been matched yet - $newShmVMNames = $newShmVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } - $newVM = $newShmVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $newShmVMNames -Value $nameToCheck) } - $vmHashTable[$currentVM] = $newVM - Add-LogMessage -Level Info "matched $($currentVM.Name) => $($newVM.Name)" + $testVMNames = $testVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } + $testVM = $testVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $testVMNames -Value $nameToCheck) } + $vmHashTable[$benchmarkVM] = $testVM + Add-LogMessage -Level Info "matched $($testVM.Name) => $($benchmarkVM.Name)" } + # Iterate over paired VMs checking their network settings # ------------------------------------------------------- -foreach ($currentVM in $currentShmVMs) { - $newVM = $vmHashTable[$currentVM] - - # Get parameters for current VM - # ----------------------------- - $_ = Set-AzContext -SubscriptionId $currentSubscription - Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($currentVM.Name)" - $currentRules = Get-NSGRules -VM $currentVM - $currentInternetCheck = Test-OutboundConnection -VM $currentVM -DestinationAddress "google.com" -DestinationPort 80 +foreach ($benchmarkVM in $benchmarkVMs) { + $testVM = $vmHashTable[$benchmarkVM] # Get parameters for new VM # ------------------------- - $_ = Set-AzContext -SubscriptionId $newSubscription - Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($newVM.Name)" - $newRules = Get-NSGRules -VM $newVM - $newInternetCheck = Test-OutboundConnection -VM $newVM -DestinationAddress "google.com" -DestinationPort 80 - + $_ = Set-AzContext -SubscriptionId $Subscription + Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($testVM.Name)" + $testRules = Get-NSGRules -VM $testVM + # Set appropriate port for testing internet access + $DestinationPort = 80 + if ($testVM.Name.Contains("MIRROR")) { $DestinationPort = 443 } + $testInternet = Test-OutboundConnection -VM $testVM -DestinationAddress "google.com" -DestinationPort $DestinationPort # Check that each NSG rule has a matching equivalent (which might be named differently) - Add-LogMessage -Level Info "Comparing NSG rules for $($currentVM.Name) and $($newVM.Name)" - Add-LogMessage -Level Info "... ensuring that all $($currentVM.Name) rules exist on $($newVM.Name)" - Compare-NSGRules -CurrentRules $currentRules -NewRules $newRules - Add-LogMessage -Level Info "... ensuring that all $($newVM.Name) rules exist on $($currentVM.Name)" - Compare-NSGRules -CurrentRules $newRules -NewRules $currentRules + Add-LogMessage -Level Info "Comparing NSG rules for $($benchmarkVM.Name) and $($testVM.Name)" + Add-LogMessage -Level Info "... ensuring that all $($benchmarkVM.Name) rules exist on $($testVM.Name)" + Compare-NSGRules -BenchmarkRules $benchmarkVM.Rules -TestRules $testRules + Add-LogMessage -Level Info "... ensuring that all $($testVM.Name) rules exist on $($benchmarkVM.Name)" + Compare-NSGRules -BenchmarkRules $testRules -TestRules $benchmarkVM.Rules # Check that internet connectivity is the same for matched VMs - Add-LogMessage -Level Info "Comparing internet connectivity for $($currentVM.Name) and $($newVM.Name)..." - if ($currentInternetCheck -eq $newInternetCheck) { - Add-LogMessage -Level Success "The internet is '$($currentInternetCheck)' from both" + Add-LogMessage -Level Info "Comparing internet connectivity for $($benchmarkVM.Name) and $($testVM.Name)..." + if ($benchmarkVM.Internet -eq $testInternet) { + Add-LogMessage -Level Success "The internet is '$($benchmarkVM.Internet)' from both" } else { - Add-LogMessage -Level Failure "The internet is '$($currentInternetCheck)' from $($currentVM.Name)" - Add-LogMessage -Level Failure "The internet is '$($newInternetCheck)' from $($newVM.Name)" + Add-LogMessage -Level Failure "The internet is '$($benchmarkVM.Internet)' from $($benchmarkVM.Name)" + Add-LogMessage -Level Failure "The internet is '$($testInternet)' from $($testVM.Name)" } } diff --git a/tests/benchmark_shm.json b/tests/benchmark_shm.json new file mode 100644 index 0000000000..4920d16e2c --- /dev/null +++ b/tests/benchmark_shm.json @@ -0,0 +1,2834 @@ +{ + "DC1-SHM-turing1": { + "Internet": "Reachable", + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "DC2-SHM-turing1": { + "Internet": "Reachable", + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "NPS-SHM-turing1": { + "Internet": "Reachable", + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "CRAN-MIRROR-EXTERNAL-TIER-2": { + "Internet": "Reachable", + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.2.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "CRAN-MIRROR-INTERNAL-TIER-2": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-EXTERNAL-TIER-2": { + "Internet": "Reachable", + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.2.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-EXTERNAL-TIER-3": { + "Internet": "Reachable", + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.3.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-INTERNAL-TIER-2": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-INTERNAL-TIER-3": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + } +} \ No newline at end of file diff --git a/tests/benchmark_sre.json b/tests/benchmark_sre.json new file mode 100644 index 0000000000..0a36c82eb3 --- /dev/null +++ b/tests/benchmark_sre.json @@ -0,0 +1,1214 @@ +{ + "DSG201912021337-160": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Internet_Out", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "DATA-DSG11": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Deny_Internet", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "DC-DSG11": { + "Internet": "Reachable", + "Rules": [ + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "GITLAB-DSG11": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Internet_Out", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "HACKMD-DSG11": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Internet_Out", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "RDS-DSG11": { + "Internet": "Reachable", + "Rules": [{ + "Name": "HTTPS_In", + "Protocol": "TCP", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443" + ], + "SourceAddressPrefix": [ + "193.60.220.253/32" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 100, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + }, + { + "Name": "RADIUS_Authentication_RDS_to_NPS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "10.0.0.248/32" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + } + ] + }, + "RDSSH1-DSG11": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Deny_Internet", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "RDSSH2-DSG11": { + "Internet": "Unreachable", + "Rules": [{ + "Name": "Deny_Internet", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 4000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + } +} \ No newline at end of file From d08f225af5018909a10aac4b0d72c32c63989f9a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 11:55:09 +0000 Subject: [PATCH 10/16] Automatically install missing dependencies --- tests/Compare_Deployments.ps1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index b108785018..57fcb1af9c 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -1,4 +1,3 @@ -# You will need `Install-Package Communary.PASM` param( [Parameter(Mandatory = $true, HelpMessage = "Name of the test (proposed) subscription")] [string]$Subscription, @@ -10,6 +9,11 @@ param( [switch]$VerboseLogging = $false ) +# Install required modules +if (-Not $(Get-Module -ListAvailable -Name Az)) { Install-Package Az -Force} +if (-Not $(Get-Module -ListAvailable -Name Communary.PASM)) { Install-Package Communary.PASM -Force} + +# Import modules Import-Module Az Import-Module Communary.PASM Import-Module $PSScriptRoot/../common_powershell/Logging.psm1 -Force From be0290bbcaa52b2af837ca43f20042220a0a05c8 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 17:53:48 +0000 Subject: [PATCH 11/16] Added link to Powershell documentation --- tests/Compare_Deployments.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 57fcb1af9c..8d3e3c1de4 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -1,3 +1,4 @@ +# Parameter sets in Powershell are a bit counter-intuitive. See here (https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/cmdlet-parameter-sets?view=powershell-7) for details param( [Parameter(Mandatory = $true, HelpMessage = "Name of the test (proposed) subscription")] [string]$Subscription, From a9afba64ba44d8d3d19c61a648a99611005014f6 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 18:46:05 +0000 Subject: [PATCH 12/16] Give warning if there are both direct and subnet NSG rules --- tests/Compare_Deployments.ps1 | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 8d3e3c1de4..53282c4295 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -29,7 +29,9 @@ function Select-ClosestMatch { $Array | Sort-Object @{Expression={ Get-PasmScore -String1 $Value -String2 $_ -Algorithm "LevenshteinDistance" }; Ascending=$false} | Select-Object -First 1 } - +# Compare two NSG rule sets +# Match parameter-by-parameter +# -------------------------------------------- function Compare-NSGRules { param ( [Parameter()] @@ -40,8 +42,10 @@ function Compare-NSGRules { $nMatched = 0 $unmatched = @() foreach ($benchmarkRule in $BenchmarkRules) { - $lowestDifference = 99 + $lowestDifference = [double]::PositiveInfinity $closestMatchingRule = $null + # Iterate over TestRules checking for an identical match by checking how many of the rule parameters differ + # If an exact match is found then increment the counter, otherwise log the rule and the closest match foreach ($testRule in $TestRules) { $difference = 0 if ($benchmarkRule.Protocol -ne $testRule.Protocol) { $difference += 1 } @@ -90,7 +94,7 @@ function Test-OutboundConnection { [string] $DestinationPort ) # Get the network watcher, creating a new one if required - $networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM.Location + $networkWatcher = Get-AzNetworkWatcher | Where-Object { $_.Location -eq $VM.Location } if (-Not $networkWatcher) { $networkWatcher = New-AzNetworkWatcher -Name "NetworkWatcher" -ResourceGroupName "NetworkWatcherRG" -Location $VM.Location } @@ -136,6 +140,7 @@ function Convert-RuleToEffectiveRule { # Source port range $effectiveRule.SourcePortRange = New-Object System.Collections.Generic.List[string] foreach ($port in $rule.SourcePortRange) { + # We do not explicitly deal with the case where the port is not an integer, a range or '*' if ($port -eq "*") { $effectiveRule.SourcePortRange.Add("0-65535"); break } elseif ($port.Contains("-")) { $effectiveRule.SourcePortRange.Add($port) } else { $effectiveRule.SourcePortRange.Add("$port-$port") } @@ -143,6 +148,7 @@ function Convert-RuleToEffectiveRule { # Destination port range $effectiveRule.DestinationPortRange = New-Object System.Collections.Generic.List[string] foreach ($port in $rule.DestinationPortRange) { + # We do not explicitly deal with the case where the port is not an integer, a range or '*' if ($port -eq "*") { $effectiveRule.DestinationPortRange.Add("0-65535"); break } elseif ($port.Contains("-")) { $effectiveRule.DestinationPortRange.Add($port) } else { $effectiveRule.DestinationPortRange.Add("$port-$port") } @@ -178,18 +184,23 @@ function Get-NSGRules { # Get rules from NSG directly attached to the NIC $nic = Get-AzNetworkInterface | Where-Object { $_.Id -eq $VM.NetworkProfile.NetworkInterfaces.Id } $directNsgs = Get-AzNetworkSecurityGroup | Where-Object { $_.Id -eq $nic.NetworkSecurityGroup.Id } + $directNsgRules = @() foreach ($directNsg in $directNsgs) { - $rules = $rules + $directNsg.SecurityRules + $directNsg.DefaultSecurityRules + $directNsgRules = $directNsgRules + $directNsg.SecurityRules + $directNsg.DefaultSecurityRules } # Get rules from NSG attached to the subnet $subnetNsgs = Get-AzNetworkSecurityGroup | Where-Object { $_.Subnets.Id -eq $nic.IpConfigurations.Subnet.Id } + $subnetNsgRules = @() foreach ($subnetNsg in $subnetNsgs) { - $rules = $rules + $subnetNsg.SecurityRules + $subnetNsg.DefaultSecurityRules + $subnetNsgRules = $subnetNsgRules + $subnetNsg.SecurityRules + $subnetNsg.DefaultSecurityRules } $effectiveRules = @() + if ($directNsgRules.Count -And $subnetNsgRules.Count) { + Add-LogMessage -Level Warning "Found both NSG rules from both the NIC and the subnet for $($VM.Name). Evaluation of effective rules may be incorrect!" + } # Convert each PSSecurityRule into a PSEffectiveSecurityRule - foreach ($rule in $rules) { - $effectiveRules = $effectiveRules + $(Convert-RuleToEffectiveRule $rule) #$effectiveRule + foreach ($rule in ($directNsgRules + $subnetNsgRules)) { + $effectiveRules = $effectiveRules + $(Convert-RuleToEffectiveRule $rule) } return $effectiveRules } else { From 0aa9169c3a60083bd6741f56d44c57bb58f44a8c Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 18:50:34 +0000 Subject: [PATCH 13/16] Inverted test vs. benchmark lookup as not all benchmark VMs will necessarily be present for all test subscriptions (eg. multiple tiers of package mirror) --- tests/Compare_Deployments.ps1 | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 53282c4295..ec0df6b51c 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -273,28 +273,29 @@ foreach ($VM in $testVMs) { } -# Create a hash table which maps current SHM VMs to new ones -# ---------------------------------------------------------- +# Create a hash table which maps test VMs to benchmark ones +# --------------------------------------------------------- $vmHashTable = @{} -foreach ($benchmarkVM in $benchmarkVMs) { - $nameToCheck = $benchmarkVM.Name +foreach ($testVM in $testVMs) { + $nameToCheck = $testVM.Name # Override matches for names that would otherwise fail - if ($nameToCheck.StartsWith("CRAN-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } - if ($nameToCheck.StartsWith("PYPI-MIRROR")) { $nameToCheck = $nameToCheck.Replace("MIRROR", "") } - if ($nameToCheck.StartsWith("RDSSH1")) { $nameToCheck = $nameToCheck.Replace("RDSSH1", "APP-SRE") } - if ($nameToCheck.StartsWith("RDSSH2")) { $nameToCheck = $nameToCheck.Replace("RDSSH2", "DKP-SRE") } + if ($nameToCheck.StartsWith("CRAN-EXTERNAL-MIRROR")) { $nameToCheck = $nameToCheck.Replace("CRAN-EXTERNAL-MIRROR", "CRAN-MIRROR-EXTERNAL") } + if ($nameToCheck.StartsWith("CRAN-INTERNAL-MIRROR")) { $nameToCheck = $nameToCheck.Replace("CRAN-INTERNAL-MIRROR", "CRAN-MIRROR-INTERNAL") } + if ($nameToCheck.StartsWith("PYPI-EXTERNAL-MIRROR")) { $nameToCheck = $nameToCheck.Replace("PYPI-EXTERNAL-MIRROR", "PYPI-MIRROR-EXTERNAL") } + if ($nameToCheck.StartsWith("PYPI-INTERNAL-MIRROR")) { $nameToCheck = $nameToCheck.Replace("PYPI-INTERNAL-MIRROR", "PYPI-MIRROR-INTERNAL") } + if ($nameToCheck.StartsWith("APP-SRE")) { $nameToCheck = $nameToCheck.Replace("APP-SRE", "RDSSH1") } + if ($nameToCheck.StartsWith("DKP-SRE")) { $nameToCheck = $nameToCheck.Replace("DKP-SRE", "RDSSH2") } # Only match against names that have not been matched yet - $testVMNames = $testVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } - $testVM = $testVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $testVMNames -Value $nameToCheck) } - $vmHashTable[$benchmarkVM] = $testVM + $benchmarkVMNames = $benchmarkVMs | ForEach-Object { $_.Name } | Where-Object { ($vmHashTable.Values | ForEach-Object { $_.Name }) -NotContains $_ } + $benchmarkVM = $benchmarkVMs | Where-Object { $_.Name -eq $(Select-ClosestMatch -Array $benchmarkVMNames -Value $nameToCheck) } + $vmHashTable[$testVM] = $benchmarkVM Add-LogMessage -Level Info "matched $($testVM.Name) => $($benchmarkVM.Name)" } - # Iterate over paired VMs checking their network settings # ------------------------------------------------------- -foreach ($benchmarkVM in $benchmarkVMs) { - $testVM = $vmHashTable[$benchmarkVM] +foreach ($testVM in $testVMs) { + $benchmarkVM = $vmHashTable[$testVM] # Get parameters for new VM # ------------------------- From 30a2e53c62f71aa78bec8d720e963546449a3029 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 19:47:15 +0000 Subject: [PATCH 14/16] Check ports 80 and 443 for all VMs --- tests/Compare_Deployments.ps1 | 31 +- tests/benchmark_shm.json | 5691 +++++++++++++++++---------------- tests/benchmark_sre.json | 40 +- 3 files changed, 2908 insertions(+), 2854 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index ec0df6b51c..5a81c7845f 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -205,6 +205,7 @@ function Get-NSGRules { return $effectiveRules } else { $effectiveRules = $effectiveNSG.EffectiveSecurityRules + # Sometimes the address prefix is retrieved as ("0.0.0.0/0", "0.0.0.0/0") rather than "*" (although these mean the same thing) foreach ($effectiveRule in $effectiveRules) { if ($effectiveRule.SourceAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.SourceAddressPrefix.Clear(); $effectiveRule.SourceAddressPrefix.Add("*") } if ($effectiveRule.DestinationAddressPrefix[0] -eq "0.0.0.0/0") { $effectiveRule.DestinationAddressPrefix.Clear(); $effectiveRule.DestinationAddressPrefix.Add("*") } @@ -213,7 +214,6 @@ function Get-NSGRules { } } - # Get original context before switching subscription # -------------------------------------------------- $originalContext = Get-AzContext @@ -233,10 +233,11 @@ if ($BenchmarkSubscription) { # Get the NSG rules and connectivity for each VM in the subscription foreach ($benchmarkVM in $benchmarkVMs) { Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($VM.Name)" - $DestinationPort = 80 - if ($VM.Name.Contains("MIRROR")) { $DestinationPort = 443 } $JsonConfig[$benchmarkVM.Name] = [ordered]@{ - Internet = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 80 + InternetFromPort = [ordered]@{ + 80 = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 80 + 443 = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 443 + } Rules = Get-NSGRules -VM $benchmarkVM } } @@ -254,7 +255,9 @@ $benchmarkVMs = @() foreach ($JsonVm in $JsonConfig.PSObject.Properties) { $VM = New-Object -TypeName PsObject $VM | Add-Member -MemberType NoteProperty -Name Name -Value $JsonVm.Name - $VM | Add-Member -MemberType NoteProperty -Name Internet -Value $JsonVm.PSObject.Properties.Value.Internet + $VM | Add-Member -MemberType NoteProperty -Name InternetFromPort -Value @{} + $VM.InternetFromPort.80 = $JsonVm.PSObject.Properties.Value.InternetFromPort.80 + $VM.InternetFromPort.443 = $JsonVm.PSObject.Properties.Value.InternetFromPort.443 $VM | Add-Member -MemberType NoteProperty -Name Rules -Value @() foreach ($rule in $JsonVm.PSObject.Properties.Value.Rules) { if ($rule.Name) { $VM.Rules += $(Convert-RuleToEffectiveRule $rule) } @@ -302,10 +305,6 @@ foreach ($testVM in $testVMs) { $_ = Set-AzContext -SubscriptionId $Subscription Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($testVM.Name)" $testRules = Get-NSGRules -VM $testVM - # Set appropriate port for testing internet access - $DestinationPort = 80 - if ($testVM.Name.Contains("MIRROR")) { $DestinationPort = 443 } - $testInternet = Test-OutboundConnection -VM $testVM -DestinationAddress "google.com" -DestinationPort $DestinationPort # Check that each NSG rule has a matching equivalent (which might be named differently) Add-LogMessage -Level Info "Comparing NSG rules for $($benchmarkVM.Name) and $($testVM.Name)" Add-LogMessage -Level Info "... ensuring that all $($benchmarkVM.Name) rules exist on $($testVM.Name)" @@ -315,11 +314,15 @@ foreach ($testVM in $testVMs) { # Check that internet connectivity is the same for matched VMs Add-LogMessage -Level Info "Comparing internet connectivity for $($benchmarkVM.Name) and $($testVM.Name)..." - if ($benchmarkVM.Internet -eq $testInternet) { - Add-LogMessage -Level Success "The internet is '$($benchmarkVM.Internet)' from both" - } else { - Add-LogMessage -Level Failure "The internet is '$($benchmarkVM.Internet)' from $($benchmarkVM.Name)" - Add-LogMessage -Level Failure "The internet is '$($testInternet)' from $($testVM.Name)" + # Test internet access on ports 80 and 443 + foreach ($port in (80, 443)) { + $testInternet = Test-OutboundConnection -VM $testVM -DestinationAddress "google.com" -DestinationPort $port + if ($benchmarkVM.InternetFromPort[$port] -eq $testInternet) { + Add-LogMessage -Level Success "The internet is '$($benchmarkVM.InternetFromPort[$port])' on port $port from both" + } else { + Add-LogMessage -Level Failure "The internet is '$($benchmarkVM.InternetFromPort[$port])' on port $port from $($benchmarkVM.Name)" + Add-LogMessage -Level Failure "The internet is '$($testInternet)' on port $port from $($testVM.Name)" + } } } diff --git a/tests/benchmark_shm.json b/tests/benchmark_shm.json index 4920d16e2c..0cb1bef70a 100644 --- a/tests/benchmark_shm.json +++ b/tests/benchmark_shm.json @@ -1,2834 +1,2861 @@ { - "DC1-SHM-turing1": { - "Internet": "Reachable", - "Rules": [{ - "Name": "RPC_endpoint_mapper", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "135-135" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 201, - "Direction": "Inbound" - }, - { - "Name": "LDAP_Ping", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 202, - "Direction": "Inbound" - }, - { - "Name": "LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "636-636" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 203, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3268-3268" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 204, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3269-3269" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 205, - "Direction": "Inbound" - }, - { - "Name": "DNS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "53-53" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 206, - "Direction": "Inbound" - }, - { - "Name": "Kerberos", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "88-88" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 207, - "Direction": "Inbound" - }, - { - "Name": "SMB_over_IP_Microsoft-DS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "445-445" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 208, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_service", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "137-137" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 209, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_datagram_service", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "138-138" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 210, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_session_service", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "139-139" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 211, - "Direction": "Inbound" - }, - { - "Name": "RPC_for_LSA_SAM_Netlogon", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "49152-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 212, - "Direction": "Inbound" - }, - { - "Name": "Kerberos_Password_Change", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "464-464" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 213, - "Direction": "Inbound" - }, - { - "Name": "Active_Directory_Web_Services", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "9389-9389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 214, - "Direction": "Inbound" - }, - { - "Name": "RADIUS_Authenitcation_RDS_to_NPS", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "1645-1645", - "1646-1646", - "1812-1812", - "1813-1813" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "Remote_Desktop_Connection", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3389-3389" - ], - "SourceAddressPrefix": [ - "172.16.201.0/24" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Inbound" - }, - { - "Name": "Deny_All", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "DC2-SHM-turing1": { - "Internet": "Reachable", - "Rules": [{ - "Name": "RPC_endpoint_mapper", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "135-135" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 201, - "Direction": "Inbound" - }, - { - "Name": "LDAP_Ping", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 202, - "Direction": "Inbound" - }, - { - "Name": "LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "636-636" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 203, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3268-3268" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 204, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3269-3269" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 205, - "Direction": "Inbound" - }, - { - "Name": "DNS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "53-53" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 206, - "Direction": "Inbound" - }, - { - "Name": "Kerberos", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "88-88" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 207, - "Direction": "Inbound" - }, - { - "Name": "SMB_over_IP_Microsoft-DS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "445-445" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 208, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_service", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "137-137" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 209, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_datagram_service", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "138-138" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 210, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_session_service", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "139-139" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 211, - "Direction": "Inbound" - }, - { - "Name": "RPC_for_LSA_SAM_Netlogon", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "49152-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 212, - "Direction": "Inbound" - }, - { - "Name": "Kerberos_Password_Change", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "464-464" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 213, - "Direction": "Inbound" - }, - { - "Name": "Active_Directory_Web_Services", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "9389-9389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 214, - "Direction": "Inbound" - }, - { - "Name": "RADIUS_Authenitcation_RDS_to_NPS", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "1645-1645", - "1646-1646", - "1812-1812", - "1813-1813" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "Remote_Desktop_Connection", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3389-3389" - ], - "SourceAddressPrefix": [ - "172.16.201.0/24" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Inbound" - }, - { - "Name": "Deny_All", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "NPS-SHM-turing1": { - "Internet": "Reachable", - "Rules": [{ - "Name": "RPC_endpoint_mapper", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "135-135" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 201, - "Direction": "Inbound" - }, - { - "Name": "LDAP_Ping", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "389-389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 202, - "Direction": "Inbound" - }, - { - "Name": "LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "636-636" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 203, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3268-3268" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 204, - "Direction": "Inbound" - }, - { - "Name": "Global_catalog_LDAP_over_SSL", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3269-3269" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 205, - "Direction": "Inbound" - }, - { - "Name": "DNS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "53-53" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 206, - "Direction": "Inbound" - }, - { - "Name": "Kerberos", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "88-88" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 207, - "Direction": "Inbound" - }, - { - "Name": "SMB_over_IP_Microsoft-DS", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "445-445" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 208, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_service", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "137-137" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 209, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_datagram_service", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "138-138" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 210, - "Direction": "Inbound" - }, - { - "Name": "NetBIOS_session_service", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "139-139" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 211, - "Direction": "Inbound" - }, - { - "Name": "RPC_for_LSA_SAM_Netlogon", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "49152-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 212, - "Direction": "Inbound" - }, - { - "Name": "Kerberos_Password_Change", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "464-464" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 213, - "Direction": "Inbound" - }, - { - "Name": "Active_Directory_Web_Services", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "9389-9389" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 214, - "Direction": "Inbound" - }, - { - "Name": "RADIUS_Authenitcation_RDS_to_NPS", - "Protocol": "Udp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "1645-1645", - "1646-1646", - "1812-1812", - "1813-1813" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "Remote_Desktop_Connection", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "3389-3389" - ], - "SourceAddressPrefix": [ - "172.16.201.0/24" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Inbound" - }, - { - "Name": "Deny_All", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "CRAN-MIRROR-EXTERNAL-TIER-2": { - "Internet": "Reachable", - "Rules": [{ - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "updateOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "443-443", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Outbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "rsyncOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "10.20.2.16/28" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "CRAN-MIRROR-INTERNAL-TIER-2": { - "Internet": "Unreachable", - "Rules": [{ - "Name": "rsyncInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "mirrorRequestsInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "80-80", - "443-443", - "3128-3128" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "PYPI-MIRROR-EXTERNAL-TIER-2": { - "Internet": "Reachable", - "Rules": [{ - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "updateOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "443-443", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Outbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "rsyncOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "10.20.2.16/28" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "PYPI-MIRROR-EXTERNAL-TIER-3": { - "Internet": "Reachable", - "Rules": [{ - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "updateOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "443-443", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.3.0/28" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Outbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "rsyncOutbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.3.0/28" - ], - "DestinationAddressPrefix": [ - "10.20.3.16/28" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 400, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "PYPI-MIRROR-INTERNAL-TIER-2": { - "Internet": "Unreachable", - "Rules": [{ - "Name": "rsyncInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.2.0/28" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "mirrorRequestsInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "80-80", - "443-443", - "3128-3128" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - }, - "PYPI-MIRROR-INTERNAL-TIER-3": { - "Internet": "Unreachable", - "Rules": [{ - "Name": "rsyncInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "22-22", - "873-873" - ], - "SourceAddressPrefix": [ - "10.20.3.0/28" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 200, - "Direction": "Inbound" - }, - { - "Name": "mirrorRequestsInbound", - "Protocol": "Tcp", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "80-80", - "443-443", - "3128-3128" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 300, - "Direction": "Inbound" - }, - { - "Name": "IgnoreInboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Inbound" - }, - { - "Name": "IgnoreOutboundRulesBelowHere", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 3000, - "Direction": "Outbound" - }, - { - "Name": "AllowVnetInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Inbound" - }, - { - "Name": "AllowAzureLoadBalancerInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "AzureLoadBalancer" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Inbound" - }, - { - "Name": "DenyAllInBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Inbound" - }, - { - "Name": "AllowVnetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "VirtualNetwork" - ], - "DestinationAddressPrefix": [ - "VirtualNetwork" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65000, - "Direction": "Outbound" - }, - { - "Name": "AllowInternetOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "Internet" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Allow", - "Priority": 65001, - "Direction": "Outbound" - }, - { - "Name": "DenyAllOutBound", - "Protocol": "All", - "SourcePortRange": [ - "0-65535" - ], - "DestinationPortRange": [ - "0-65535" - ], - "SourceAddressPrefix": [ - "*" - ], - "DestinationAddressPrefix": [ - "*" - ], - "ExpandedSourceAddressPrefix": null, - "ExpandedDestinationAddressPrefix": null, - "Access": "Deny", - "Priority": 65500, - "Direction": "Outbound" - } - ] - } + "DC1-SHM-turing1": { + "InternetFromPort": { + "80": "Reachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "DC2-SHM-turing1": { + "InternetFromPort": { + "80": "Reachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "NPS-SHM-turing1": { + "InternetFromPort": { + "80": "Reachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "RPC_endpoint_mapper", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "135-135" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 201, + "Direction": "Inbound" + }, + { + "Name": "LDAP_Ping", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "389-389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 202, + "Direction": "Inbound" + }, + { + "Name": "LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "636-636" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 203, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3268-3268" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 204, + "Direction": "Inbound" + }, + { + "Name": "Global_catalog_LDAP_over_SSL", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3269-3269" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 205, + "Direction": "Inbound" + }, + { + "Name": "DNS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "53-53" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 206, + "Direction": "Inbound" + }, + { + "Name": "Kerberos", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "88-88" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 207, + "Direction": "Inbound" + }, + { + "Name": "SMB_over_IP_Microsoft-DS", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "445-445" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 208, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_service", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "137-137" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 209, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_datagram_service", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "138-138" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 210, + "Direction": "Inbound" + }, + { + "Name": "NetBIOS_session_service", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "139-139" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 211, + "Direction": "Inbound" + }, + { + "Name": "RPC_for_LSA_SAM_Netlogon", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "49152-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 212, + "Direction": "Inbound" + }, + { + "Name": "Kerberos_Password_Change", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "464-464" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 213, + "Direction": "Inbound" + }, + { + "Name": "Active_Directory_Web_Services", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "9389-9389" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 214, + "Direction": "Inbound" + }, + { + "Name": "RADIUS_Authenitcation_RDS_to_NPS", + "Protocol": "Udp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "1645-1645", + "1646-1646", + "1812-1812", + "1813-1813" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "Remote_Desktop_Connection", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "3389-3389" + ], + "SourceAddressPrefix": [ + "172.16.201.0/24" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Inbound" + }, + { + "Name": "Deny_All", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "CRAN-MIRROR-EXTERNAL-TIER-2": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.2.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "CRAN-MIRROR-INTERNAL-TIER-2": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-EXTERNAL-TIER-2": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.2.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-EXTERNAL-TIER-3": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Reachable" + }, + "Rules": [{ + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "updateOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "443-443", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Outbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "rsyncOutbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "10.20.3.16/28" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 400, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-INTERNAL-TIER-2": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.2.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + }, + "PYPI-MIRROR-INTERNAL-TIER-3": { + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, + "Rules": [{ + "Name": "rsyncInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "22-22", + "873-873" + ], + "SourceAddressPrefix": [ + "10.20.3.0/28" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 200, + "Direction": "Inbound" + }, + { + "Name": "mirrorRequestsInbound", + "Protocol": "Tcp", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "80-80", + "443-443", + "3128-3128" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 300, + "Direction": "Inbound" + }, + { + "Name": "IgnoreInboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Inbound" + }, + { + "Name": "IgnoreOutboundRulesBelowHere", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 3000, + "Direction": "Outbound" + }, + { + "Name": "AllowVnetInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Inbound" + }, + { + "Name": "AllowAzureLoadBalancerInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "AzureLoadBalancer" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Inbound" + }, + { + "Name": "DenyAllInBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Inbound" + }, + { + "Name": "AllowVnetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "VirtualNetwork" + ], + "DestinationAddressPrefix": [ + "VirtualNetwork" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65000, + "Direction": "Outbound" + }, + { + "Name": "AllowInternetOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "Internet" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Allow", + "Priority": 65001, + "Direction": "Outbound" + }, + { + "Name": "DenyAllOutBound", + "Protocol": "All", + "SourcePortRange": [ + "0-65535" + ], + "DestinationPortRange": [ + "0-65535" + ], + "SourceAddressPrefix": [ + "*" + ], + "DestinationAddressPrefix": [ + "*" + ], + "ExpandedSourceAddressPrefix": null, + "ExpandedDestinationAddressPrefix": null, + "Access": "Deny", + "Priority": 65500, + "Direction": "Outbound" + } + ] + } } \ No newline at end of file diff --git a/tests/benchmark_sre.json b/tests/benchmark_sre.json index 0a36c82eb3..d915e5280e 100644 --- a/tests/benchmark_sre.json +++ b/tests/benchmark_sre.json @@ -1,6 +1,9 @@ { "DSG201912021337-160": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Internet_Out", "Protocol": "All", @@ -151,7 +154,10 @@ ] }, "DATA-DSG11": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Deny_Internet", "Protocol": "All", @@ -302,7 +308,10 @@ ] }, "DC-DSG11": { - "Internet": "Reachable", + "InternetFromPort": { + "80": "Reachable", + "443": "Reachable" + }, "Rules": [ { "Name": "AllowVnetInBound", @@ -433,7 +442,10 @@ ] }, "GITLAB-DSG11": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Internet_Out", "Protocol": "All", @@ -584,7 +596,10 @@ ] }, "HACKMD-DSG11": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Internet_Out", "Protocol": "All", @@ -735,7 +750,10 @@ ] }, "RDS-DSG11": { - "Internet": "Reachable", + "InternetFromPort": { + "80": "Reachable", + "443": "Reachable" + }, "Rules": [{ "Name": "HTTPS_In", "Protocol": "TCP", @@ -910,7 +928,10 @@ ] }, "RDSSH1-DSG11": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Deny_Internet", "Protocol": "All", @@ -1061,7 +1082,10 @@ ] }, "RDSSH2-DSG11": { - "Internet": "Unreachable", + "InternetFromPort": { + "80": "Unreachable", + "443": "Unreachable" + }, "Rules": [{ "Name": "Deny_Internet", "Protocol": "All", From 8526c4da1696d95b532e90fe38a3aa857e0608b4 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 4 Mar 2020 20:31:01 +0000 Subject: [PATCH 15/16] Update to always load from JSON config --- tests/Compare_Deployments.ps1 | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index 5a81c7845f..d30eed796e 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -119,7 +119,7 @@ function Test-OutboundConnection { } } } - Add-LogMessage -Level Info "... testing connectivity" + Add-LogMessage -Level Info "... testing connectivity on port $DestinationPort" $networkCheck = Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM.Id -DestinationAddress $DestinationAddress -DestinationPort $DestinationPort -ErrorVariable NotAvailable -ErrorAction SilentlyContinue if ($NotAvailable) { Add-LogMessage -Level Warning "Unable to test connection for $($VM.Name)" @@ -235,8 +235,8 @@ if ($BenchmarkSubscription) { Add-LogMessage -Level Info "Getting NSG rules and connectivity for $($VM.Name)" $JsonConfig[$benchmarkVM.Name] = [ordered]@{ InternetFromPort = [ordered]@{ - 80 = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 80 - 443 = Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 443 + "80" = (Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 80) + "443" = (Test-OutboundConnection -VM $benchmarkVM -DestinationAddress "google.com" -DestinationPort 443) } Rules = Get-NSGRules -VM $benchmarkVM } @@ -244,15 +244,17 @@ if ($BenchmarkSubscription) { $OutputFile = New-TemporaryFile Out-File -FilePath $OutputFile -Encoding "UTF8" -InputObject ($JsonConfig | ConvertTo-Json -Depth 10) Add-LogMessage -Level Info "Configuration file generated at '$($OutputFile.FullName)'" + $BenchmarkJsonPath = $OutputFile.FullName } elseif ($BenchmarkConfig) { - $JsonConfig = Get-Content -Path $BenchmarkConfig -Raw -Encoding UTF-8 | ConvertFrom-Json + $BenchmarkJsonPath = $BenchmarkConfig } # Deserialise VMs from JSON config # -------------------------------- +$BenchmarkJsonConfig = Get-Content -Path $BenchmarkJsonPath -Raw -Encoding UTF-8 | ConvertFrom-Json $benchmarkVMs = @() -foreach ($JsonVm in $JsonConfig.PSObject.Properties) { +foreach ($JsonVm in $BenchmarkJsonConfig.PSObject.Properties) { $VM = New-Object -TypeName PsObject $VM | Add-Member -MemberType NoteProperty -Name Name -Value $JsonVm.Name $VM | Add-Member -MemberType NoteProperty -Name InternetFromPort -Value @{} From a5a51c8a8dd29164163466ae4d98970880ff95ef Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 5 Mar 2020 12:02:15 +0000 Subject: [PATCH 16/16] Updated logging message --- tests/Compare_Deployments.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Compare_Deployments.ps1 b/tests/Compare_Deployments.ps1 index d30eed796e..be43f5dac2 100644 --- a/tests/Compare_Deployments.ps1 +++ b/tests/Compare_Deployments.ps1 @@ -67,7 +67,7 @@ function Compare-NSGRules { $nMatched += 1 if ($VerboseLogging) { Add-LogMessage -Level Info "Found matching rule for $($benchmarkRule.Name)" } } else { - Add-LogMessage -Level Error "Could not find matching rule for $($benchmarkRule.Name)" + Add-LogMessage -Level Error "Could not find an identical rule for $($benchmarkRule.Name)" $unmatched += $benchmarkRule.Name $benchmarkRule | Out-String Add-LogMessage -Level Info "Closest match was:"