Shell script to create an Azure Network Security Group (NSG) for Azure API Management with the internal VNet injection mode

create_apim_internal_nsg.sh

#!/bin/bash

# Description:
# This script creates an Azure Network Security Group (NSG) specifically for Azure API Management
# configured with the "internal" VNet injection mode. This mode allows access only from internal
# sources. The script includes rules for load balancing, storage access, SQL database access,
# Key Vault access, and monitoring services.
# 
# Usage:
# The script will prompt for the Azure resource group name, location, and NSG name.
# After entering the required information, the script will create the NSG and
# apply the rules automatically.

echo "---------------------------------------"
echo "NSG Creation Script for Azure API Management - Internal vnet integration"
echo "---------------------------------------"
echo "This script creates an NSG for Azure API Management with the 'internal' VNet injection mode."
echo "You'll be prompted for the resource group name, location, and NSG name."
echo "---------------------------------------"
echo ""

# Input variables
read -p "Enter the resource group name: " resourceGroupName
read -p "Enter the location: " location
read -p "Enter the NSG name for internal rules: " nsgInternal

# Create NSG for Internal Only
az network nsg create --resource-group $resourceGroupName --name $nsgInternal --location $location

# Add rules to Internal Only NSG
az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Load-Balancer" \
    --priority 130 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 6390 \
    --source-address-prefixes AzureLoadBalancer --destination-address-prefixes VirtualNetwork --description "Azure Infrastructure Load Balancer"

az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Storage" \
    --priority 140 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \
    --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage --description "Dependency on Azure Storage for core service functionality"

az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-SQL" \
    --priority 150 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1433 \
    --source-address-prefixes VirtualNetwork --destination-address-prefixes SQL --description "Access to Azure SQL endpoints for core service functionality"

az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-KeyVault" \
    --priority 160 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 443 \
    --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureKeyVault --description "Access to Azure Key Vault for core service functionality"

az network nsg rule create --resource-group $resourceGroupName --nsg-name $nsgInternal --name "Allow-Monitor" \
    --priority 170 --direction Outbound --access Allow --protocol Tcp --destination-port-ranges 1886 443 \
    --source-address-prefixes VirtualNetwork --destination-address-prefixes AzureMonitor --description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights"

echo "Internal-only NSG created successfully!"

Usage Instructions:

To execute this script, you can run it directly from the Azure Cloud Shell or from any Bash environment where the Azure CLI is installed and you're logged in to your Azure account.

If you're using the Azure Cloud Shell, the Azure CLI is already pre-installed and configured, so you can simply copy and paste the following command to run the script:

bash <(curl -sL https://gist.github.com/amgdy/71cc1cc299a283731699bbcb44a3a592/raw/)