Azure API Management NSG Rules with PowerShell
When configuring or upgrading an Azure API Management stv2 instance on a Virtual Network (VNET) it is necessary to use a Network Security Group (NSG) and configure certain rules for the service to work.
“A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic.”
The Microsoft documentation lists these NSG rules, but it can be time-consuming to enter them manually using the Azure Portal, particularly if you have several API Management instances to upgrade or configure. This short code snippet uses PowerShell to deploy these rules, making the process much quicker and less prone to misconfiguration than the manual method.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-AzNetworkSecurityGroup -Name $Name -ResourceGroupName $ResourceGroupName ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "ClientCommunicationtoAPIM" -Description "Client communication to API Management" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 200 -SourceAddressPrefix "internet" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (80,443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "ManagementEndpointForAzurePortalAndPowerShell" -Description "Management endpoint for Azure portal and PowerShell" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 210 -SourceAddressPrefix "ApiManagement" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (3443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "AzureInfrastructureLoadBalancer" -Description "Azure Infrastructure Load Balancer" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 220 -SourceAddressPrefix "AzureLoadBalancer" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (6390) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "AzureTrafficManageRoutingForMultiRegionDeployment" -Description "Azure Traffic Manager routing for multi-region deployment" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 230 -SourceAddressPrefix "AzureTrafficManager" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "DependencyOnAzureStorage" -Description "Dependency on Azure Storage for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 240 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "Storage" -DestinationPortRange (443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureSQLEndpoints" -Description "Access to Azure SQL endpoints for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 250 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "SQL" -DestinationPortRange (1443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureKeyVault" -Description "Access to Azure Key Vault for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 260 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "AzureKeyVault" -DestinationPortRange (443) ` | |
| | Add-AzNetworkSecurityRuleConfig -Name "PublishDiagnosticsLogsMetricsEtc" -Description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 270 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "AzureMonitor" -DestinationPortRange (1886,443) ` | |
| | Set-AzNetworkSecurityGroup | |
| # Reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2#configure-nsg-rules |