Skip to content

Support AH and ESP Protocols in NSG Rules #10113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 1, 2019
Merged

Support AH and ESP Protocols in NSG Rules #10113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0879b62
Initial commit
Sep 25, 2019
3265b08
Initial commit
Sep 25, 2019
0d28214
Merge branch 'support-esp-ah-protocols' of https://github.com/wdehric…
Sep 30, 2019
03b7ca7
Add testing and update change log
Sep 30, 2019
e83a5b7
Fix formatting issues
Sep 30, 2019
1ebd5b7
Test recording
anton-evseev Sep 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 47 additions & 9 deletions src/Network/Network.Test/ScenarioTests/NetworkSecurityGroupTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,33 +263,37 @@ function Test-NetworkSecurityGroup-MultiValuedRules
$securityRule1Name = Get-ResourceName
$securityRule2Name = Get-ResourceName
$securityRule3Name = Get-ResourceName
$securityRule4Name = Get-ResourceName
$securityRule5Name = Get-ResourceName
$domainNameLabel = Get-ResourceName
$rglocation = Get-ProviderLocation ResourceManagement
$resourceTypeParent = "Microsoft.Network/NetworkSecurityGroups"
$location = Get-ProviderLocation $resourceTypeParent

try
{
# Create the resource group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $rglocation -Tags @{ testtag = "testval" }

# Create SecurityRule
$securityRule1 = New-AzNetworkSecurityRuleConfig -Name $securityRule1Name -Description "desciption" -Protocol Tcp -SourcePortRange 23-45,80-90 -DestinationPortRange 46-56,70-80 -SourceAddressPrefix 10.10.20.0/24,192.168.0.0/24 -DestinationAddressPrefix 10.10.30.0/24,192.168.2.0/24 -Access Allow -Priority 123 -Direction Inbound
$securityRule2 = New-AzNetworkSecurityRuleConfig -Name $securityRule2Name -Description "desciption" -Protocol Tcp -SourcePortRange 10-20,30-40 -DestinationPortRange 10-20,30-40 -SourceAddressPrefix Storage -DestinationAddressPrefix Storage -Access Allow -Priority 120 -Direction Inbound
$securityRule3 = New-AzNetworkSecurityRuleConfig -Name $securityRule3Name -Description "desciption" -Protocol Icmp -SourcePortRange 50-60,100-110 -DestinationPortRange 120-130,131-140 -SourceAddressPrefix Storage -DestinationAddressPrefix Storage -Access Allow -Priority 125 -Direction Inbound
$securityRule4 = New-AzNetworkSecurityRuleConfig -Name $securityRule4Name -Description "desciption" -Protocol Esp -SourcePortRange 150-160,170-180 -DestinationPortRange 190-200,210-220 -SourceAddressPrefix Storage -DestinationAddressPrefix Storage -Access Allow -Priority 127 -Direction Inbound
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

$securityRule5 = New-AzNetworkSecurityRuleConfig -Name $securityRule5Name -Description "desciption" -Protocol Ah -SourcePortRange 230-240,250-260 -DestinationPortRange 270-280,290-300 -SourceAddressPrefix Storage -DestinationAddressPrefix Storage -Access Allow -Priority 129 -Direction Inbound

# Create NetworkSecurityGroup
$nsg = New-AzNetworkSecurityGroup -name $nsgName -ResourceGroupName $rgname -Location $location -SecurityRules $securityRule1,$securityRule2,$securityRule3
$nsg = New-AzNetworkSecurityGroup -name $nsgName -ResourceGroupName $rgname -Location $location -SecurityRules $securityRule1,$securityRule2,$securityRule3,$securityRule4,$securityRule5

# Get NetworkSecurityGroup
$getNsg = Get-AzNetworkSecurityGroup -name $nsgName -ResourceGroupName $rgName

#verification
Assert-AreEqual $rgName $getNsg.ResourceGroupName
Assert-AreEqual $nsgName $getNsg.Name
Assert-NotNull $getNsg.Location
Assert-NotNull $getNsg.Etag
Assert-AreEqual 3 @($getNsg.SecurityRules).Count
Assert-AreEqual 5 @($getNsg.SecurityRules).Count
Assert-AreEqual 6 @($getNsg.DefaultSecurityRules).Count
Assert-AreEqual "AllowVnetInBound" $getNsg.DefaultSecurityRules[0].Name
Assert-AreEqual "AllowAzureLoadBalancerInBound" $getNsg.DefaultSecurityRules[1].Name
Expand All @@ -298,7 +302,7 @@ function Test-NetworkSecurityGroup-MultiValuedRules
Assert-AreEqual "AllowInternetOutBound" $getNsg.DefaultSecurityRules[4].Name
Assert-AreEqual "DenyAllOutBound" $getNsg.DefaultSecurityRules[5].Name

# verify rule 1.
# verify rule 1.
Assert-AreEqual $securityRule1Name $getNsg.SecurityRules[0].Name
Assert-NotNull $getNsg.SecurityRules[0].Etag
Assert-AreEqual "desciption" $getNsg.SecurityRules[0].Description
Expand All @@ -319,8 +323,8 @@ function Test-NetworkSecurityGroup-MultiValuedRules
Assert-AreEqual "123" $getNsg.SecurityRules[0].Priority
Assert-AreEqual "Inbound" $getNsg.SecurityRules[0].Direction

# verify rule 2
Assert-AreEqual "desciption" $getNsg.SecurityRules[1].Description
# verify rule 2
Assert-AreEqual "desciption" $getNsg.SecurityRules[1].Description
Assert-AreEqual "Tcp" $getNsg.SecurityRules[1].Protocol
Assert-AreEqual 2 @($getNsg.SecurityRules[1].SourcePortRange).Count
Assert-AreEqual "10-20" $getNsg.SecurityRules[1].SourcePortRange[0]
Expand Down Expand Up @@ -353,6 +357,40 @@ function Test-NetworkSecurityGroup-MultiValuedRules
Assert-AreEqual "125" $getNsg.SecurityRules[2].Priority
Assert-AreEqual "Inbound" $getNsg.SecurityRules[2].Direction

# verify rule 4
Assert-AreEqual "desciption" $getNsg.SecurityRules[3].Description
Assert-AreEqual "Esp" $getNsg.SecurityRules[3].Protocol
Assert-AreEqual 2 @($getNsg.SecurityRules[3].SourcePortRange).Count
Assert-AreEqual "150-160" $getNsg.SecurityRules[3].SourcePortRange[0]
Assert-AreEqual "170-180" $getNsg.SecurityRules[3].SourcePortRange[1]
Assert-AreEqual 2 @($getNsg.SecurityRules[3].DestinationPortRange).Count
Assert-AreEqual "190-200" $getNsg.SecurityRules[3].DestinationPortRange[0]
Assert-AreEqual "210-220" $getNsg.SecurityRules[3].DestinationPortRange[1]
Assert-AreEqual 1 @($getNsg.SecurityRules[3].SourceAddressPrefix).Count
Assert-AreEqual "Storage" $getNsg.SecurityRules[3].SourceAddressPrefix[0]
Assert-AreEqual 1 @($getNsg.SecurityRules[3].DestinationAddressPrefix).Count
Assert-AreEqual "Storage" $getNsg.SecurityRules[3].DestinationAddressPrefix[0]
Assert-AreEqual "Allow" $getNsg.SecurityRules[3].Access
Assert-AreEqual "127" $getNsg.SecurityRules[3].Priority
Assert-AreEqual "Inbound" $getNsg.SecurityRules[3].Direction

# verify rule 5
Assert-AreEqual "desciption" $getNsg.SecurityRules[4].Description
Assert-AreEqual "Ah" $getNsg.SecurityRules[4].Protocol
Assert-AreEqual 2 @($getNsg.SecurityRules[4].SourcePortRange).Count
Assert-AreEqual "230-240" $getNsg.SecurityRules[4].SourcePortRange[0]
Assert-AreEqual "250-260" $getNsg.SecurityRules[4].SourcePortRange[1]
Assert-AreEqual 2 @($getNsg.SecurityRules[4].DestinationPortRange).Count
Assert-AreEqual "270-280" $getNsg.SecurityRules[4].DestinationPortRange[0]
Assert-AreEqual "290-300" $getNsg.SecurityRules[4].DestinationPortRange[1]
Assert-AreEqual 1 @($getNsg.SecurityRules[4].SourceAddressPrefix).Count
Assert-AreEqual "Storage" $getNsg.SecurityRules[4].SourceAddressPrefix[0]
Assert-AreEqual 1 @($getNsg.SecurityRules[4].DestinationAddressPrefix).Count
Assert-AreEqual "Storage" $getNsg.SecurityRules[4].DestinationAddressPrefix[0]
Assert-AreEqual "Allow" $getNsg.SecurityRules[4].Access
Assert-AreEqual "129" $getNsg.SecurityRules[4].Priority
Assert-AreEqual "Inbound" $getNsg.SecurityRules[4].Direction

# list
$list = Get-AzNetworkSecurityGroup -ResourceGroupName $rgname
Assert-AreEqual 1 @($list).Count
Expand All @@ -374,7 +412,7 @@ function Test-NetworkSecurityGroup-MultiValuedRules
# Delete NetworkSecurityGroup
$delete = Remove-AzNetworkSecurityGroup -ResourceGroupName $rgname -name $nsgName -PassThru -Force
Assert-AreEqual true $delete

$list = Get-AzNetworkSecurityGroup -ResourceGroupName $rgname
Assert-AreEqual 0 @($list).Count
}
Expand Down
686 changes: 374 additions & 312 deletions ...est.ScenarioTests.NetworkSecurityGroupTests/TestNetworkSecurityGroupMultiValuedRules.json
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions src/Network/Network/ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@
--->

## Upcoming Release
* Add support for ESP and AH protocols in network security rule configurations
- Updated cmdlets:
- Add-AzNetworkSecurityRuleConfig
- New-AzNetworkSecurityRuleConfig
- Set-AzNetworkSecurityRuleConfig
* Improve handling of exceptions in Cortex cmdlets
* Fix incorrect example in `New-AzApplicationGateway` reference documentation
* Add note in `Get-AzNetworkWatcherPacketCapture` reference documentation about retrieving all properties for a packet capture
Expand Down
2 changes: 2 additions & 0 deletions ...rk/Network/NetworkSecurityGroup/NetworkSecurityRule/AzureNetworkSecurityRuleConfigBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ public class AzureNetworkSecurityRuleConfigBase : NetworkBaseCmdlet
MNM.SecurityRuleProtocol.Tcp,
MNM.SecurityRuleProtocol.Udp,
MNM.SecurityRuleProtocol.Icmp,
MNM.SecurityRuleProtocol.Esp,
MNM.SecurityRuleProtocol.Ah,
MNM.SecurityRuleProtocol.Asterisk,
IgnoreCase = true)]
[ValidateNotNullOrEmpty]
Expand Down