Add-AzKeyVaultManagedHsmNetworkRule
Add one or more IP network rules to a Managed HSM that already has its firewall (DefaultAction Deny) enabled.
Syntax
ByName (Default)
Add-AzKeyVaultManagedHsmNetworkRule
[-Name] <String>
[[-ResourceGroupName] <String>]
[-IpAddressRange <String[]>]
[-VirtualNetworkResourceId <String[]>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ByInputObject
Add-AzKeyVaultManagedHsmNetworkRule
[-InputObject] <PSManagedHsm>
[-IpAddressRange <String[]>]
[-VirtualNetworkResourceId <String[]>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
ByResourceId
Add-AzKeyVaultManagedHsmNetworkRule
[-ResourceId] <String>
[-IpAddressRange <String[]>]
[-VirtualNetworkResourceId <String[]>]
[-PassThru]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[-SubscriptionId <String>]
[<CommonParameters>]
Description
Adds one or more CIDR IP address ranges to the Managed HSM network ACL list. This cmdlet performs a
merge (it keeps existing IP rules and appends the new ones, ignoring duplicates case-insensitively).
Virtual network rules are not currently supported for Managed HSM; any attempt to supply
-VirtualNetworkResourceId results in an error. The Managed HSM service requires DefaultAction to
be Deny when IP rules are present; if the current firewall is open (Allow) this cmdlet throws
and instructs you to first run Update-AzKeyVaultManagedHsmNetworkRuleSet -DefaultAction Deny.
Typical workflow:
- Enable firewall by setting DefaultAction Deny (optionally adding the first IP) using
New-AzKeyVaultManagedHsmwith-NetworkRuleSetorUpdate-AzKeyVaultManagedHsmNetworkRuleSet. - Add additional IP ranges with this cmdlet.
Examples
Example 1: Add a single IP range (assuming -DefaultAction is set to Deny)
Add-AzKeyVaultManagedHsmNetworkRule -Name $myHsm -ResourceGroupName $myRg -IpAddressRange 203.0.113.0/24
(No Output but the IPRules are updated)
Adds one CIDR range; existing rules are preserved.
Example 2: Add multiple ranges and return the updated object (assuming -DefaultAction is set to Deny)
Add-AzKeyVaultManagedHsmNetworkRule -Name $myHsm -ResourceGroupName $myRg -IpAddressRange 203.0.113.0/24,198.51.100.10/32 -PassThru
Name Resource Group Name Location SKU ProvisioningState Security Domain ActivationStatus
---- ------------------- -------- --- ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg eastus StandardB1 Succeeded NotActivated
$hsm.OriginalManagedHsm.Properties.NetworkAcls
Bypass : AzureServices
DefaultAction : Deny
IPRules : {203.0.113.0/24, 198.51.100.10/32}
ServiceTags : {}
VirtualNetworkRules : {}
Appends two ranges then outputs the Managed HSM object because -PassThru is specified.
Example 3: Pipe a Managed HSM object
Get-AzKeyVaultManagedHsm -Name $myHsm -ResourceGroupName $myRg | Add-AzKeyVaultManagedHsmNetworkRule -IpAddressRange 198.51.100.0/25
(No Output but the IPRules are updated)
Uses the pipeline form (-InputObject).
Example 4: Attempt when DefaultAction is Allow (will fail)
# First open firewall (for illustration – not recommended long term)
Update-AzKeyVaultManagedHsmNetworkRuleSet -Name $myHsm -ResourceGroupName $myRg -DefaultAction Allow
# This next command will throw until you set DefaultAction back to Deny
Add-AzKeyVaultManagedHsmNetworkRule -Name myHsm -ResourceGroupName myRg -IpAddressRange 192.0.2.0/24
Name Resource Group Name Location SKU ProvisioningState Security Domain ActivationStatus
---- ------------------- -------- --- ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg eastus StandardB1 Succeeded NotActivated
$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass : AzureServices
DefaultAction : Allow
IPRules : {}
ServiceTags : {}
VirtualNetworkRules : {}
Add-AzKeyVaultManagedHsmNetworkRule: Cannot add IP network rules while DefaultAction is Allow. Run Update-AzKeyVaultManagedHsmNetworkRuleSet -Name <name> -DefaultAction Deny first, then add IP rules.
Demonstrates the validation that prevents adding IP rules while DefaultAction is Allow.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | cf |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
| Type: | IAzureContextContainer |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-InputObject
Managed HSM object.
Parameter properties
| Type: | PSManagedHsm |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
ByInputObject
| Position: | 0 |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-IpAddressRange
One or more CIDR IP ranges to add (e.g. 198.51.100.0/24). Duplicates (case-insensitive match on the
Value sent to the service) are ignored. Private RFC1918 ranges may be rejected by the service.
Parameter properties
| Type: | String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Name
Name of the managed HSM.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | HsmName |
Parameter sets
ByName
| Position: | 0 |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PassThru
This Cmdlet does not return an object by default. If this switch is specified, it returns the updated managed HSM object.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ResourceGroupName
Resource group name.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
ByName
| Position: | 1 |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ResourceId
Managed HSM resource Id.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
ByResourceId
| Position: | 0 |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-SubscriptionId
The ID of the subscription.
By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user.
Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-VirtualNetworkResourceId
(Not supported) Virtual network rules are not currently supported for Managed HSM.
Parameter properties
| Type: | String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | wi |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
