To get the restricted ips for webapp in Azure powershell - azure-powershell

Is there any way to get the restricted ips for the webapps in Azure using powershell cmdlets.

Here is a function show all Azure WebApp IP restrictions in subscription for your reference.
function Get-WebAppIPRestrictions {
if (!(Get-AzureRmContext)) {
Write-Host "Please login to your Azure account"
Login-AzureRmAccount
}
$APIVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
$WebApps = Get-AzureRmWebApp
foreach ($webApp in $WebApps) {
$WebAppName = $WebApp.SiteName
$WebAppRGName = $WEbApp.ResourceGroup
$WebAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $WebAppName -ResourceGroupName $WebAppRGName -ApiVersion $APIVersion)
$IpSecurityRestrictions = $WebAppConfig.Properties.ipsecurityrestrictions
if ($IpSecurityRestrictions -eq $null) {
Write-Host "No IP restrictions found for WebApp $WebAppName ."
}
else {
Write-Host "IP restrictions set for WebApp $WebAppName : "
$IpSecurityRestrictions
}
}
}

Related

NSG Rule Automation Powershell

I'm trying to automate my NSG rules and find out wrong nsg rules. here I'm trying to find the source Ip address is added or not but the code getting executed and deleting the rules even if the IP addresses are available.
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName Testingday4
$nsgRules = Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg
foreach($nsgRule in $nsgRules)
{
if($nsgRule.Direction -eq "inbound" -and {$_.DestinationPortRange -eq -split ('') -or $_.DestinationAddressPrefix -ne $null}){
$nsgRule.Name
Remove-AzNetworkSecurityRuleConfig -Name $nsgRule.Name -NetworkSecurityGroup $nsg
} }
$nsg | Set-AzNetworkSecurityGroup
I tried to reproduce in my environment to delete the rule which haves source address prefix of value for example "10.0.0.0/24".
I could remove that NSG rule successfully using below Power Shell Script
Run below script to delete the specific source IP prefix
Get-AzSubscription
Set-AzContext -SubscriptionId "Subscription ID"
$RGname="Resource Group Name"
$nsgname="NSG Name"
$nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname
$nsgRules = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname
#$ruleNames = $nsgRules.SecurityRules.Name
#$rulesrcaddpre = $nsgRules.SecurityRules.SourceAddressPrefix
foreach($rule in $nsgRules)
{
$rname = $rule.SecurityRules.Name
$raddpre = $rule.SecurityRules.SourceAddressPrefix
if($raddpre -eq "10.0.0.0/24")
{
#AzNetworkSecurityRuleConfig -Name AllowInternetOutBound
Remove-AzNetworkSecurityRuleConfig -Name $rname -NetworkSecurityGroup $nsg
}
}
$nsg | Set-AzNetworkSecurityGroup
Rule got delete after the execute the script.
In order to create the rule with PowerShell use below Script
# Add the inbound security rule.
$nsg | Add-AzNetworkSecurityRuleConfig -Name $rulename -Description "Allow app port" -Access Allow `
-Protocol * -Direction Inbound -Priority 3891 -SourceAddressPrefix "*" -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange $port
# Update the NSG.
$nsg | Set-AzNetworkSecurityGroup

How to enable auto scaling for SQL app in Azure Portal

I am looking to allow auto-scaling from my SQL DB app in Azure portal so that allow it to increase to 200 DTUs on a particular day and then automatically scale back down to 20. I seem to be getting confused as to how to go about it as I'm aware I will need to use Azure cli also. Any help would be much appreciated.
If you wanna scale SQL in Azure on some schedule I would recommend you to prepare Automation service with PowerShell script and schedules connected to that Runbook. Also you would need to configure Run as options.
I personally use this script to scale DB up and down on daily base.
## Authentication
Write-Output ""
Write-Output "------------------------ Authentication ------------------------"
Write-Output "Logging into Azure ..."
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
##DB Part
$vCores = 18
$currentTier = "GP_Gen5"
$size = 200
$resourceGroup = ""
$serverName = ""
$databaseName = ""
$db_size = "GP_Gen5_4"
Write-Output "Changing DB type to GP_Gen5_4"
Set-AzureRmSqlDatabase `
-ServerName $serverName `
-ResourceGroupName $resourceGroup `
-DatabaseName $databaseName `
-RequestedServiceObjectiveName $db_size
# -RequestedServiceObjectiveName "$currentTier" + "_" + "$vCores"
Write-Output "Writing current DB parameters"
Get-AzureRmSqlDatabase `
-ServerName $serverName `
-ResourceGroupName $resourceGroup `
-DatabaseName $databaseName

Running sqlcmd against the WID in PowerShell remotely

I am fighting with WSUS and trying to set up a script to manage the maintenance of SUSDB on multiple servers in our remote sites, we have servers on multiple versions and multiple OS, so it gets a bit complicated, the newer ones (post 2008R2) work with no issues, however, the Server 2008s have an issue:
I run this locally or in an interactive remote session and it works as expected, but if I nest the invoke-command to run it in a remote session as per below, it errors out with the following:
HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired
I have hunted around for days and tried all the permutations I can think of, but here's what I have:
$SQLPath = "C:\Users\<username>\Documents\SQL Server Management Studio\"
$SQLfile = "SUSDB-ReIndex.sql"
$WsusSvrs = ("WSUS-Site1","WSUS-Site7","WSUS-Site13","WSUS-Site14","WSUS-Site15")
$ErrorActionPreference = "Stop"
$results = #()
Foreach ($WSUSSvr in $WSUSSvrs) {
Try {
$sess = New-PSSession -ComputerName $WSUSSvr -EnableNetworkAccess -ErrorAction Stop
}
Catch {
continue;
}
$output = Invoke-Command -Session $sess -ScriptBlock {
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
If((Get-Command SQLcmd.exe -ErrorAction SilentlyContinue)-eq "") {
$NoSQLCmd = new-object System.IO.FileNotFoundException("SQLcmd is not Installed on this machine, please install the appropriate version and try again")
Throw $NoSQLCmd
}
$Output = New-Object psobject
$OSVerStr = (Gwmi win32_operatingsystem).version.split(".")
[single]$OS = [convert]::ToSingle(($OSVerStr[0],$OSVerStr[1] -join "."))
$Output | Add-Member -MemberType NoteProperty -Name OSVer -Value $OS
if ($OS -gt 6.1) {
$conStr = "\\.\pipe\Microsoft##WID\tsql\query"
}
Else {
$conStr = 'np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query'
}
if(Test-Path "$using:SQLPath\$Using:SQLfile") {
$cmd = "sqlcmd.exe -S $ConStr -i '$Using:SQLPath\$Using:SQLfile' -d 'SUSDB' -E -o 'C:\temp \$Using:WSUSSvr-reindexout.txt'"
Invoke-Expression $cmd
$output | Add-Member -MemberType NoteProperty -Name Message -Value "done"
}
else {
$output | Add-Member -MemberType NoteProperty -Name Message -Value "Unable to find $Using:sqlfile"
}
$Output
} -ArgumentList $SQLPath,$SQLfile,$WSUSSvr
$results += $output
if(test-path "\\$wsussvr\C$\temp\$WSUSSvr-reindexout.txt") {
cp "\\$wsussvr\C$\temp\$WSUSSvr-reindexout.txt" "D:\wsus-reports\" -Force
}
If( $sess.State -eq "Opened" ) { Remove-PSSession $sess }
}
$results | ft
I know we should be shot of the 2008 boxes by now, but there's a niche product vendor and some budget issues in replacing the boxes.
On line 35 I see the following
Else {
$conStr = 'np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query'
}
Could you try running it without np: in front of it?
Else {
$conStr = '\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query'
}

Get All blob names from Storage account from Runbook

I have a very simple script which absolutely works fine when run from remote powershell ISE (not using the RUNAS credentials from the Automation Runbook), but when we try to run it from Automation Runbook it returns 0 . Following is the code:-
$connectionName = "AzureRunAsConnection"
$SubId = "XXXXXXXXXXXXXXXXXX"
try
{
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
Write-Verbose "Logging in to Azure..." -Verbose
Connect-AzAccount -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -ApplicationId $servicePrincipalConnection.ApplicationId -Tenant $servicePrincipalConnection.TenantId -ServicePrincipal
Write-Verbose "Setting Subscription......" -Verbose
Set-AzContext -SubscriptionId $SubId | Write-Verbose
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroup -Name $StorageAccountName -ErrorAction SilentlyContinue
# Resource group name for the storage acccount
$ResourceGroup = "MYDEV01-RG"
# Storage account name
$StorageAccountName = "myDev01StrgName"
# Container name for analytics logs
$ContainerName = "`$logs"
$storageContext = $storageAccount.Context
$containers = New-Object System.Collections.ArrayList
$container = Get-AzStorageContainer -Context $storageContext -Name $ContainerName -ErrorAction SilentlyContinue |
ForEach-Object { $containers.Add($_) } | Out-Null
Write-Output("> Container count: {0}" -f $containers.Count)
Not sure if we are missing something like permissions or some other thing because of with the Automation Account (Runbook) is not working, any help?
Thank you,
After spending 24 hours on this one and staring and trying everything, it turned out that the ABOVE SCRIPT is correct and nothing is wrong in it but the STORAGE ACCOUNT's FIREWALL and NETWORK Setting were set to SELECTED NETWORK (You can either add the network IP addresses which you want to permit or select All Networks and that helped me resolve my issue). In NO WAYS I am suggesting SELECTING ALL NETWORKS but for testing we can and then add only the Selected networks and that should work.

Create point-to-site connection for all web apps slots using powershell

I'm following the tutorial from here https://azure.microsoft.com/pl-pl/documentation/articles/app-service-vnet-integration-powershell/
where I've a script which allows me to connect multiple web apps with VNet.
The issue is our web apps have few deployment slots and when this script is run it only updates currently used slot.
I wasn't able to get web app from different slot by the name, also I don't see any parameter which would apply my configuration to all slots.
Script for the reference:
function ConnectWebAppWithVNet()
{
param(
$SubscriptionId,
$VNetResourceGroupName,
$AppResourceGroupName,
$WebAppName,
$VNetName,
$GatewayName,
$P2SRootCertName2,
$MyP2SCertPubKeyBase64_2
)
$webApp = Get-AzureRmResource -ResourceName $WebAppName -ResourceType "Microsoft.Web/sites" -ApiVersion 2015-08-01 -ResourceGroupName $AppResourceGroupName
$location = $webApp.Location
$vnet = Get-AzureRmVirtualNetwork -name $VNetName -ResourceGroupName $VNetResourceGroupName
$gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $vnet.ResourceGroupName -Name $GatewayName
# validate gateway types, etc.
if($gateway.GatewayType -ne "Vpn")
{
Write-Error "This gateway is not of the Vpn type. It cannot be joined to an App."
return
}
if($gateway.VpnType -ne "RouteBased")
{
Write-Error "This gateways Vpn type is not RouteBased. It cannot be joined to an App."
return
}
if($gateway.VpnClientConfiguration -eq $null -or $gateway.VpnClientConfiguration.VpnClientAddressPool -eq $null)
{
Write-Host "This gateway does not have a Point-to-site Address Range. Please specify one in CIDR notation, e.g. 10.0.0.0/8"
return
}
Write-Host "Creating App association to VNET"
$propertiesObject = #{
"vnetResourceId" = "/subscriptions/$($subscriptionId)/resourceGroups/$($vnet.ResourceGroupName)/providers/Microsoft.Network/virtualNetworks/$($vnetName)"
}
$virtualNetwork = New-AzureRmResource -Location $location -Properties $propertiesObject -ResourceName "$($webAppName)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -ResourceGroupName $AppResourceGroupName -Force
# We need to check if the certificate here exists in the gateway.
$certificates = $gateway.VpnClientConfiguration.VpnClientRootCertificates
$certFound = $false
foreach($certificate in $certificates)
{
if($certificate.PublicCertData -eq $virtualNetwork.Properties.CertBlob)
{
$certFound = $true
break
}
}
if(-not $certFound)
{
Write-Host "Adding certificate"
Add-AzureRmVpnClientRootCertificate -ResourceGroupName $VNetResourceGroupName -VpnClientRootCertificateName "AppServiceCertificate.cer" -PublicCertData $virtualNetwork.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name
}
# Now finish joining by getting the VPN package and giving it to the App
Write-Host "Retrieving VPN Package and supplying to App"
$packageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $vnet.ResourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64
# Put the VPN client configuration package onto the App
$PropertiesObject = #{
"vnetName" = $vnet.Name; "vpnPackageUri" = $packageUri
}
New-AzureRmResource -Location $location -Properties $propertiesObject -ResourceName "$($webAppName)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -ResourceGroupName $AppResourceGroupName -Force
Write-Host "Finished!"
}
If your web app is already connected to VPN there is a way to connect also its slot.
$webAppName = "name_of_app_service"
$resourceGroup = "name_of_resource_group"
$vnetName = "name_of_vnet"
$slotName = "staging"
$resName = $webAppName + "/" + $slotName
$WebAppConfig = Get-AzureRmResource -ResourceGroupName $resourceGroup -ResourceType Microsoft.Web/sites/slots/config -ResourceName $resName -ApiVersion 2016-08-01
$WebAppConfig.Properties.vnetName = $vnetName
Set-AzureRmResource -ResourceId $WebAppConfig.ResourceId -Properties $WebAppConfig.Properties -ApiVersion 2016-08-01 # -Force
I've manged to get help from Azure support and we've found out the problem:
I've created secondary slot without cloning the configuration
settings from main slot. If this setting would be selected,
secondary slot would be connected automatically. In my case I couldn't recreate slot so I needed to manually
connect secondary slot after swapping.