How to get the NIC details for Application Security Group / Resource Group

Question

I'm looking a PowerShell command which is used to list out the relationship between the.network interface card and its associated application security group / resources group. I use the following commands and it only displays the VMName, IPAddress. The Application Security Group cannot be shown up.

I already use -ExpandProperty ApplicationSecurityGroups but still doesn't work.

$nics =Get-AzureRmNetworkInterface -ResourceGroupName "My-RG" 

foreach($nic in $nics)
{
    $vm = $vms | where-object -Property Id -EQ $nic.VirtualMachine.id
    $Name = $nic.Name
    $prv =  $nic.IpConfigurations | select-object -ExpandProperty PrivateIpAddress
    $alloc =  $nic.IpConfigurations | select-object -ExpandProperty PrivateIpAllocationMethod
    $asc =  $nic.IpConfigurations | select-object -ExpandProperty ApplicationSecurityGroups
    Write-Output "$Name, $prv , $asc"
}

Answer 1

It is quite hard to retrospectively query members of an ASG, the property is contained in arrays within arrays in the NIC configuration. I found an AZ cli command to retrieve this, hope it saves some time.

az.network nic list --query '[].{Name:name,ASG:ipConfigurations[0].applicationSecurityGroups[].id}'

Answer 2

I've just tested your commands and I can get the application security group successfully, from a machine that is configured with an ASG. However, that will only work if you have put the VM in an ASG, ASG's are there to provide micro-segmentation inside a subnet, so you can group your app servers, DBs etc. together and apply NSG rules to groups rather than single servers.

If instead, you want to know what NSG the VM is in, you need a different command. NSG's are the resource that attaches to a VM or NIC and acts like a firewall. If you want that then you need to run:

$nsg =  $nic | select-object -ExpandProperty NetworkSecurityGroup

However, this is only going to get you the NSG applied to the VM, you can also apply these at the VM level, so you are better running this command:

$effectiveRules=Get-AzureRmEffectiveNetworkSecurityGroup -NetworkInterfaceName <nicName> -ResourceGroupName <resourceGroup>
$effectiveRules.NetworSecurityGroup

This will list all NSGs applied either at NIC or Subnet level.

Answer 3

The thing is that you can only get the ASG information from property IpConfigurationsText as a string, so you'll need to update your query to this:

$nics = Get-AzureRmNetworkInterface -ResourceGroupName "My-RG"

foreach($nic in $nics)
{
    $GetAzureNIC = Get-AzureRmNetworkInterface -ResourceGroupName "My-RG" -Name $nic.Name
    $Name = $nic.Name
    $prv =  $nic.IpConfigurations.PrivateIpAddress
    $alloc =  $nic.IpConfigurations.PrivateIpAllocationMethod
    $asgResourceID = ($GetAzureNIC.IpConfigurationsText | ConvertFrom-Json).ApplicationSecurityGroups.Id
    $asgName = (Get-AzureRmResource -ResourceId $asgResourceID).Name
    Write-Output "$Name, $prv, $alloc, $asgName, $asgResourceID"
}

EDIT: I've noticed that you also want to get the allocation method but don't use it in the Write-Output and updated the query to include both ASG name and ASG resource ID, pick whichever you need.