Update-AzKeyVaultManagedHsmNetworkRuleSet

Module:: Az.KeyVault Module

Replace or modify the Managed HSM network rule set (DefaultAction, Bypass, and/or full IP rule list).

Syntax

ByName (Default)

Update-AzKeyVaultManagedHsmNetworkRuleSet
    [-Name] <String>
    [[-ResourceGroupName] <String>]
    [-DefaultAction <PSManagedHsmNetworkRuleDefaultActionEnum>]
    [-Bypass <PSManagedHsmNetworkRuleBypassEnum>]
    [-IpAddressRange <String[]>]
    [-VirtualNetworkResourceId <String[]>]
    [-PassThru]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [-SubscriptionId <String>]
    [<CommonParameters>]

ByInputObject

Update-AzKeyVaultManagedHsmNetworkRuleSet
    [-InputObject] <PSManagedHsm>
    [-DefaultAction <PSManagedHsmNetworkRuleDefaultActionEnum>]
    [-Bypass <PSManagedHsmNetworkRuleBypassEnum>]
    [-IpAddressRange <String[]>]
    [-VirtualNetworkResourceId <String[]>]
    [-PassThru]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [-SubscriptionId <String>]
    [<CommonParameters>]

ByResourceId

Update-AzKeyVaultManagedHsmNetworkRuleSet
    [-ResourceId] <String>
    [-DefaultAction <PSManagedHsmNetworkRuleDefaultActionEnum>]
    [-Bypass <PSManagedHsmNetworkRuleBypassEnum>]
    [-IpAddressRange <String[]>]
    [-VirtualNetworkResourceId <String[]>]
    [-PassThru]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [-SubscriptionId <String>]
    [<CommonParameters>]

Description

Updates the Managed HSM network ACL configuration. This cmdlet REPLACES the IP rule list when -IpAddressRange is supplied; omit the parameter to retain the existing list. Virtual network rules are not currently supported for Managed HSM. If you specify any IP rules (either existing retained or newly provided) you must keep / set DefaultAction = Deny; attempting to apply IP rules with DefaultAction Allow results in an error.

Typical scenarios:

Add or remove IP ranges in bulk by supplying a complete new list via -IpAddressRange.
Clear all IP rules by passing an empty array: -IpAddressRange @() then (optionally) switch to Allow.
Change only DefaultAction or Bypass while leaving IP rules untouched by omitting -IpAddressRange.

Examples

Example 1: Switch from Allow to Deny (enabling firewall) with an initial rule

Update-AzKeyVaultManagedHsmNetworkRuleSet -Name myHsm -ResourceGroupName myRg -DefaultAction Deny -IpAddressRange 203.0.113.0/24

Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated


$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Deny
IPRules             : {203.0.113.0/24}
ServiceTags         : {}
VirtualNetworkRules : {}

Enables the firewall and sets a single permitted CIDR.

Example 2: Append rules using Add cmdlet then view (assuming -DefaultAction is set to Deny)

Add-AzKeyVaultManagedHsmNetworkRule -Name myHsm -ResourceGroupName myRg -IpAddressRange 198.51.100.10/32
Update-AzKeyVaultManagedHsmNetworkRuleSet -Name myHsm -ResourceGroupName myRg -Bypass AzureServices -PassThru

(No output but the IP was added to the list)


Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated

$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Deny
IPRules             : {198.51.100.10/32}
ServiceTags         : {}
VirtualNetworkRules : {}

Leaves existing IP list intact (no -IpAddressRange provided) and changes only the Bypass setting.

Example 3: Replace the entire IP rule list

Update-AzKeyVaultManagedHsmNetworkRuleSet -Name myHsm -ResourceGroupName myRg -IpAddressRange 203.0.113.0/24,198.51.100.0/25 -DefaultAction Deny

Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated


$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Deny
IPRules             : {203.0.113.0/24, 198.51.100.0/25}
ServiceTags         : {}
VirtualNetworkRules : {}

Overwrites current IP rules with exactly two CIDR ranges.

Example 4: Clear all IP rules then open access

Update-AzKeyVaultManagedHsmNetworkRuleSet -Name myHsm -ResourceGroupName myRg -IpAddressRange @() -DefaultAction Deny
Update-AzKeyVaultManagedHsmNetworkRuleSet -Name myHsm -ResourceGroupName myRg -DefaultAction Allow

Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated


$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Deny
IPRules             : {}
ServiceTags         : {}
VirtualNetworkRules : {}




Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated


$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Allow
IPRules             : {}
ServiceTags         : {}
VirtualNetworkRules : {}

Two-step pattern: clear rules while still Deny, then switch to Allow once list is empty.

Parameters

-Bypass

Specifies bypass of network rule.

Parameter properties

Type:	PSManagedHsmNetworkRuleBypassEnum
Default value:	None
Accepted values:	None, AzureServices
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultAction

Specifies default action of network rule.

Parameter properties

Type:	PSManagedHsmNetworkRuleDefaultActionEnum
Default value:	None
Accepted values:	Allow, Deny
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-InputObject

Managed HSM object.

Parameter properties

Type:	PSManagedHsm
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByInputObject

Position:	0
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-IpAddressRange

Complete replacement list of CIDR IP ranges. Omit parameter to keep existing list. Pass @() (empty array) to clear all IP rules.

Parameter properties

Type:	String[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Specifies the name of a Managed HSM whose network rule set is being modified.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	HsmName

Parameter sets

ByName

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-PassThru

This Cmdlet does not return an object by default. If this switch is specified, it returns the updated managed HSM object.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ResourceGroupName

Specifies the resource group name of the Managed HSM whose network rule set is being modified.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByName

Position:	1
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ResourceId

Managed HSM resource Id.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ByResourceId

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-SubscriptionId

The ID of the subscription.

By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user.

Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-VirtualNetworkResourceId

(Not supported) Virtual network rules are not currently supported for Managed HSM.

Parameter properties

Type:	String[]
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

PSManagedHsm

Feedback

Was this page helpful?

Share via

Update-AzKeyVaultManagedHsmNetworkRuleSet

Syntax

ByName (Default)

ByInputObject

ByResourceId

Description

Examples

Example 1: Switch from Allow to Deny (enabling firewall) with an initial rule

Example 2: Append rules using Add cmdlet then view (assuming -DefaultAction is set to Deny)

Example 3: Replace the entire IP rule list

Example 4: Clear all IP rules then open access

Parameters

-Bypass

Parameter properties

Parameter sets

-Confirm

Parameter properties

Parameter sets

-DefaultAction

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-InputObject

Parameter properties

Parameter sets

-IpAddressRange

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-PassThru

Parameter properties

Parameter sets

-ResourceGroupName

Parameter properties

Parameter sets

-ResourceId

Parameter properties

Parameter sets

-SubscriptionId

Parameter properties

Parameter sets

-VirtualNetworkResourceId

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

PSManagedHsm

String

Nullable<T>

Nullable<T>

Outputs

PSManagedHsm

Feedback