Tracking network changes & troubleshooting connectivity problems usually results in analysis of route tables and in Azure currently there are a few route table constructs (Gateway, Express Route, Subnet route tables, effective route table…). The route table potentially of most importance or interest is the effective route table on a NIC attached to a VM in Azure and knowing which subnet it’s attached to. Network Security Groups are just as important with regards to what traffic they allow in and out.

Below is a script that will cycle through ALL your network interfaces across all running VMs and fetch the effective route table and also the NSG if one is attached. It will output the route table and NSG in standard Powershell with some manipulation of route table data using Format-Table format into a file named as the NIC itself. A header is placed into the files to also confirm the NIC name and advise which VM and also subnet it’s attached to in the case of VMs & NVAs with multiple network interfaces.

This script uses a combined mixture of foreach loops with some manual generation & handling of arrays and is heavily reliant on output data from the Get-AzNetworkInterface command. The output in particular of this command needed some work to manipulate to drill down into sub property values of the VM Name and Subnet attached to the NIC, I sought advice from another blog: https://4sysops.com/archives/retrieve-azure-nic-properties-using-powershell/.

The Get-AzEffectiveNetworkSecurityGroup is used to get NSG information. I couldn’t find an immediate way to dynamically assess if an NSG would apply (command output only lists an NSG that is directly attached to the NIC as opposed to inherited from Subnet) to a NIC or not to this command is run regardless but if empty no data is saved to file.

I’ll probably turn this into a function at some time to automate looping through by being called from elsewhere, some brief overview of the script below:

1. Setup file output environment and file names.
2. Enumerate all NICs into an array by name and Resource Group
3. Search for NICs and if found
   • Check for output file folder and create if required
   • Otherwise advise none found
4. Prepare arrays for output file names and search pattern
5. Cycle through all NICs via foreach loop
   • Get VM Name and Subnet NIC attached to
   • Check power state of VM and if running, get route table and run compare.
   • If there is an NSG attached, it will fetch that too.
6. Run Comparison function

Some of the commands take a second or so to execute so the script will take time to cycle through, the slowest check is validating if the VM is running. Looks like I’ll have some more work to do to perhaps change the order of things to enumerate running VMs instead and then work on getting NIC details potentially!

The script is located at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/AzNICRouteTable.ps

(Updated 2/8/2020 – added NSG enumeration and all scripts now located at Github with version control)

It can be a little tedious having to use the GUI to fetch routing information and other details for Express Routes. I haven’t actually located a GUI function to revise the Virtual Network Gateway routes.

I’ve used the Get-AzResource command to dynamically ascertain whether or not there is a Virtual Network Gateway and/or Express Route Circuit. In order to review the route table of the Virtual Network Gateway I’ve used the Az module Get-AzVirtualNetworkGatewayLearnedRoute & Get-AzVirtualNetworkGatewayBGPPeerStatus commands. To gather Express Route details I used Get-AzExpressRouteCircuit, Get-AzExpressRouteCircuitARPTable & Get-AzExpressRouteCircuitRouteTable. The script is setup to fetch details for both Private Peering and Microsoft Peering, so if either are missing then relevant error messages are produced. It should also be noted that PowerShell Warnings do pop up for “breaking changes” and per my other scripts there are no special error control functions in my scripts.

The scripts works by producing the information into individual files as well as combining them all into one all with date/time stamps (it uses the name of the virtual network gateway / express route circuit). If the function is called standalone you just need to supply the Subscription name as a parameter. The script will then make sure that actual Subscription is the current select one.

1. Select the specified subscription
2. Setup folder locations for output files
3. Search for Virtual Network Gateways/Express Routes and if found
   • Check for output file folder and create if required
   • Otherwise advise none found
4. For each loops will run for any found gateways/circuits that are found.

The Virtual Network Gateway For each loop obtains the Learned Routes into Table format, if for some reason no output is produced the output file is deleted. It then obtain the BGP Peer Status in Format table and again if for some reason it’s empty the output file is deleted.

The Express Route Circuit For each loop Gets the Circuit config info to file and strips any presence of “Etag” fields of data. It then fetches all the ARP tables for all peerings and then all the Route tables for all peerings. It then creates a combined output file of all the content.

If you want you can use the “Comp-AzData” function which is the compare function script is contained at the bottom of another blog post at http://roity.com/tech/2020/06/27/gather-and-compare-configuration-info-in-azure/. To compare the Virtual Network Gateway routes then within the folder the output files are located you could execute “Comp-AzData -Pattern *-virtual-network-gateway-LR.txt” for instance or to compare the Express Route Circuits you could execute “Comp-AzData -Pattern *-er-circuit-name-Routes.txt”. You can optionally use the -DocDir parameter to specify the folder location of the output files. I haven’t as yet Integrated the file comparison function to automatically do the comparisons as part of the capture process

The scripts can take some minutes to run. I’ve combined this function into the set of scripts I published earlier linked above by adding “Get-AzNetGates $aztenantname” to the Az-GatherInfo.ps1 file directly after the “foreach ($azg in $azget)” loop and adding the entire function below into the “Az-GatherInfoFuncs.ps1” file.

Az-GatherInfoFuncs script located at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/Modules/Az-GatherInfoFuncs.ps1

Depending on connectivity and routing requirements there may be a need to create firewall policy or ACLs, a Web Proxy filter configuration or PAC file or some type or routing distribution filters on the network somewhere. If you’re unable to dynamically ingest the MS BGP Community prefixes and you have to manually enter it then it’s going to become a risky challenge around MS altering the IP addresses along the way on top of already being an operational challenge to manage in itself.

This issue of IP whitelisting and changing addresses I’ve seen become a bit of a problem theme in the last few years when services require you to whitelist specific FQDN and on top of that FQDN with wildcard on top. Whilst some platforms have matured in being able to provide some support for this approach (such as L7 filtering for instance so you can filter on URL or even specifics in the URN), there will probably be requirement for some time to come for IP whitelisting to be used or maybe manual generation of proxy configuration or routing information as well.

Microsoft have provided some relief for instance around the Office 365 endpoint information by publishing a Web Service for Office 365 IP address and URL. The web service with accompanying script itself in both PowerShell and Python is quite useful for assessing for changes and raising an alert along with the latest information that can be used to update systems. They’re probably not the only ones to have provided some dynamic access to changing information, they do also provide you ability to fetch Azure BGP Community information via Az module Powershell commands.

A script at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/AzBGPCommunities.ps1 will help with regards to fetching the data and storing it in text format and then flagging it for changes. This script can either be set to query a certain community by name or just allowed to enumerate all of them and capture each community into it’s own sub-folder. It also can be used to either capture the full community information that Microsoft publishes or just filter down to the CIDR prefix list.

The gathered information could then be used by further scripts to perhaps convert them to ACLs or firewall policies or similar for further use elsewhere via additional scripts utilising what options the platforms offer such as REST API calls. Alternately some additional PowerShell script could be added to generate email alerts or similar. Overview of the script:

1. Setup file environment and Import the compare function
2. Specify/Choose communities or enumerate all
3. Designate output folder and create if require
4. Setup filename format
5. Loop through specified or all communities
   • Output default command info or just CIDR prefix list
6. Run the compare function for the community exported
   • The compare function script is at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/Modules/CompareFunc.ps1

https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/AzBGPCommunities.ps1