How to configure Azure firewall using CLI

4 minute read Modified:

Configuring Azure Network Security Groups using Azure CLI 2.0
Table of Contents


UPDATE 2018-03-02: Streisand project now allows fully automatic creation of VPN server instances at Azure. Hurray!

I’ve ran into some problems recently while trying to setup multiple instances of Streisand VPN. It seems that on Microsoft Azure there’s no easy way to copy or export/import firewall (Network Security Group - NSG) configuration between different resource groups using Azure Portal.

Fortunately, Azure has a CLI (version 2.0 now) available which can be used to setup network security groups in an automated fashion.

Choosing subscription to use with CLI

If you use Azure, chances are you have multiple subscriptions associated with your account. With Azure CLI, you have to choose upfront which subscription will be used for subsequent commands. To list subscriptions available in your account use:

$ az account list --output table

This will produce output like this:

$ az account list --output table
Name                                  CloudName    SubscriptionId                        State    IsDefault
------------------------------------  -----------  ------------------------------------  -------  -----------
Visual Studio Professional with MSDN  AzureCloud   XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  Enabled  True
Visual Studio Enterprise with MSDN    AzureCloud   XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  Enabled

To choose default subscription run:

$ az account set --subscription "Visual Studio Enterprise with MSDN"

This won’t produce any output, rerun az account list --output table and look at IsDefault column if you want to make sure subscription context has been changed successfully.

Setting up Network Security Group rules

The following script sets up all the rules needed by the current (April 2017) version of Streisand VPN. Assign VM’s resource group name to RG_NAME and its security group name to NSG_NAME.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/bin/sh

RG_NAME=phalanx-rg
NSG_NAME=phalanx-nsg

# HTTPS (Streisand Gateway)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-https \
	--priority 1010 \
	--destination-port-range 443 \
	--protocol Tcp

# L2TP-IPSEC
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-l2tp-ipsec-1 \
	--priority 1021 \
	--destination-port-range 500 \
	--protocol Udp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-l2tp-ipsec-2 \
	--priority 1022 \
	--destination-port-range 1701 \
	--protocol Udp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-l2tp-ipsec-3 \
	--priority 1023 \
	--destination-port-range 4500 \
	--protocol Udp

# OpenVPN
# (not adding DNS rule)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-openvpn-1 \
	--priority 1031 \
	--destination-port-range 636 \
	--protocol Tcp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-openvpn-2 \
	--priority 1032 \
	--destination-port-range 8757 \
	--protocol Udp

# OpenConnect / Cisco AnyConnect
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-openconnect \
	--priority 1040 \
	--destination-port-range 4443 \
	--protocol '*'

# Shadowsocks
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-shadowsocks \
	--priority 1050 \
	--destination-port-range 8530 \
	--protocol Tcp

# Stunnel
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-stunnel \
	--priority 1060 \
	--destination-port-range 993 \
	--protocol Tcp

# Tor
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-tor-1-bridge \
	--priority 1071 \
	--destination-port-range 8443 \
	--protocol Tcp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-tor-2-obsf4 \
	--priority 1072 \
	--destination-port-range 9443 \
	--protocol Tcp

# WireGuard
# (not adding DNS rule)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
	--name allow-wireguard \
	--priority 1080 \
	--destination-port-range 51820 \
	--protocol Udp

You can find all the code from this post in this Gist. If you have any comments, About page has some info on how to reach me.

If you like this post, send me a postcard!