Search code examples
azurepowershellazure-cognitive-search

Use PowerShell to configure the IP firewall for Azure Cognitive Search

I am trying to use a script to automatically add IP addresses to an Azure Cognitive Search IP Firewall.

The reason for this is that the service does not allow management of certain features (indexes, data source configurations, etc.) while a Firewall is set, so I find myself removing all current IP addresses, making the desired update to the search service, and then manually re-adding the IP addresses (following this Microsoft documentation: Configure IP firewall for Azure Cognitive Search). Between all of the developers on the project and the IP addresses from the App Service, this is a very tedious process to perform repetitively.

Even if my own IP address is included in the Firewall I cannot manage certain components.

Looking through PowerShell commands I haven't seen any way to automatically add IP addresses yet, or even view a list of existing IP addresses

So how can you do this in PowerShell?

Solution

  • Search Service can be changed/updated through powershell Azure Search CLI command az search service update

    However, the az search service update supports only updation of the below properties at this moment :

    • hostingMode
    • id
    • identity
    • location
    • name
    • partitionCount
    • provisioningState
    • replicaCount
    • sku
    • status
    • statusDetails
    • tags
    • type

    Like mentioned by Joey Cai, you could use the REST API in order to manage the IP Firewall rules.

    You can perform the rest query from the Powershell. The below script adds the IPto the Search Service.

    $searchservicename = "<SEARCH SERVICE NAME>"
$resourcegroup = "<RESOURCE GROUP>"
$subscription = "<YOUR SUBSCRIBRION>"

$access= $token.accessToken
$url = "https://management.azure.com/subscriptions/$subscription/resourceGroups/$resourcegroup/providers/Microsoft.Search/searchServices/$searchservicename" + "?api-version=2020-08-01"

$body = '{
  "location": "<YOUR REGION>",
  "tags": {
    "app-name": "<YOUR TAG>"
  },
  "sku": {
    "name": "standard"
  },
  "properties": {
    "replicaCount": 1,
    "partitionCount": 1,
    "networkRuleSet": {
      "ipRules": [
        {
          "value": "<CIDR IP>"
        },
        {
          "value": "<CIDR IP>"
        }
      ]
    },
    "hostingMode": "default"
  }
}'


$headers = @{'x-ms-client-request-id'=(New-Guid); 'Authorization' ="Bearer $access_t ";'Content-Type' ="application/json"}
Invoke-WebRequest -Uri $url -Body $body -Headers $headers  -Method Put

    To remove IPRules, update the body as :

    "networkRuleSet": {
      "ipRules": []
    }

    To view the list of IPs. You could use the GET method instead of the PUT and ignore the body.

    You will have to get the access token($access_t) before using any of the above. You can employ lot of ways to obtain the token. In Powershell, my simplest approach is as below

    az login
$token = az account get-access-token --subscription "<Your Subscription>"
$token = $token | ConvertFrom-Json 
$access_t= $token.accessToken

    Note :

    You will need Az Cli in your machine before executing any of the above steps.

    To install & make use of AZ Cli you could refer this article

    This is for getting the token in case you are getting the token from the above method