Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[NSG] Creating new rules seems a little too verbose

See original GitHub issue

This is more of an observation issue, but I’ve noticed that when using the az network nsg rule create command, it feels a little overly verbose to do simple things. For example, to enable incoming SSH, you need to run the following:

az network nsg rule create -g <GROUP> \
  -n <NAME> \
  --access allow \
  --destination-address-prefix '*' \
  --destination-port-range 22 \
  --direction inbound \
  --nsg-name <NSG> \
  --protocol tcp \
  --source-address-prefix '*' \
  --source-port-range '*' \
  --priority 1000

The az vm create command simplifies this by auto-enabling SSH for you (by default), but ideally, the underlying commands for managing NSG rules would be as simplified as possible as well, since many users might want to manage their NSG rules as part of a VNet, instead of relying on the az vm create command to handle that at the VM level.

I’m not sure what the best solution is here, but it would be great to determine whether any of the currently required parameters could have sensible defaults given to them and/or if the CLI could provide a “service” concept like the portal has, where you can add rules for well known protocols, which would in turn provide even more sensible defaults to the above (e.g. it would know that SSH uses port 22 by default).

Note: Inversely, the --priority flag does in fact provide a default value, but its a “static value” (it’s always 1000), and therefore, you can only rely on the default value for the first rule you add to an NSG, or else you’ll receive a conflict. This behavior is kind of odd (at least to me), and so, I’ve begun to not rely on that default.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
tjprescottcommented, Jan 31, 2017

@lostintangent please take a look at this proposed help text for rule create:

Command
    az network nsg rule create: Create a new NSG rule.

Arguments
    --name -n           [Required]: Name of the network security group rule.
    --nsg-name          [Required]: Name of the network security group.
    --priority          [Required]: Rule priority, between 100 (highest priority) and 4096 (lowest
                                    priority). Must be unique for each rule in the collection.
    --resource-group -g [Required]: Name of resource group.
    --access                      : Allowed values: Allow, Deny.  Default: Allow.
    --description                 : Rule description.
    --direction                   : Allowed values: Inbound, Outbound.  Default: Inbound.
    --protocol                    : Network protocol this rule applies to.  Allowed values: *, Tcp,
                                    Udp.  Default: *.

Destination Arguments
    --destination-address-prefix  : CIDR prefix or IP range. Use '*' to match all IPs. Can also use
                                    'VirtualNetwork', 'AzureLoadBalancer', and 'Internet'.  Default:
                                    *.
    --destination-port-range      : Port or port range between 0-65535. Use '*' to match all ports.
                                    Default: 80.

Source Arguments
    --source-address-prefix       : CIDR prefix or IP range. Use '*' to match all IPs. Can also use
                                    'VirtualNetwork', 'AzureLoadBalancer', and 'Internet'.  Default:
                                    *.
    --source-port-range           : Port or port range between 0-65535. Use '*' to match all ports.
                                    Default: *.

From 11 required parameters to 4. I applied Xplat’s defaults, which essentially results in allowing inbound traffic from everywhere on port 80. It also removes the pointless default for priority.

0reactions
lostintangentcommented, Jan 31, 2017

That looks amazing! Huge improvement 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

NSG Rule time to be effective - Microsoft Q&A
Hi All,. We use the REST API to dynamically add NSG rules to a NSG of a specific VM. I see that the...
Read more >
Working with NSG augmented security rules in Azure
What are augmented security rules? In short, they extend the rule set, so you can specify more than one IP address or IP...
Read more >
Top 10 Details to Include on a Nursing Resume and 2021 ...
It's difficult to write a compelling nursing resume in 2021. For starters, nursing professions encompass hundreds of skills and career details.
Read more >
Azure IaaS: Managing Azure Virtual Machines
It will generate an ARM template, which looks like the following: ... Creating an allow NSG rule to be accessible from a specific...
Read more >
NSG PS I'm going to kill you! : r/AZURE - Reddit
I'm banging my head against a wall here trying to apply NSG rules with ... create it manually in the portal and see...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Network] Public IP addresses should be easier to retrieve for LB and NIC resources

Next page

[ACS] az acs create does not does not add authorization to an SP