In Azure Operator Nexus, access control lists (ACLs) for Permit and Deny actions at a network-to-network interconnect (NNI) level help protect Secure Shell (SSH) access on the management virtual private network (VPN). You create ingress and egress ACLs before the creation of NNI resources and then reference those ACLs in the NNI payload. You need to create referenced ingress and egress ACLs before you provision the network fabric.
These are the high-level steps for creating an ACL on an NNI:
Create NNI ingress and egress ACLs.
Update the Azure Resource Manager resource reference in a management NNI.
Create an NNI and provision the network fabric.
Parameter usage guidance
Parameter
Description
Example or range
defaultAction
Default action to be taken. If you don't define it, traffic is permitted.
"defaultAction": "Permit"
resource-group
Resource group of the network fabric.
nfresourcegroup
resource-name
Name of the ACL.
example-ingressACL
vlanGroups
List of virtual local area network (VLAN) groups.
vlans
List of VLANs that need to be matched.
match-configurations
Name of the match configuration.
example_acl. Spaces and the ampersand character (&) aren't supported.
matchConditions
Conditions required to be matched.
ttlValues
Time to live (TTL).
0-255
dscpMarking
Differentiated Services Code Point (DSCP) markings that need to be matched.
[tcp, udp, range[1-2, 1, 2]]. If it's a protocol number, it should be in the range of 1-255.
vlanMatchCondition
VLAN match condition that needs to be matched.
layer4Protocol
Layer 4 protocol.
Should be either TCP or UDP.
ipCondition
IP condition that needs to be matched.
actions
Action to be taken based on a match condition.
Example: permit.
configuration-type
Configuration type, which can be inline or file. At this time, Azure Operator Nexus supports only inline.
Example: inline.
You should also be aware of these restrictions:
Inline ports and inline VLANs are a static way of defining the ports or VLANs by using azcli.
portGroupNames and vlanGroupNames are dynamic ways of defining ports and VLANs.
Inline ports and portGroupNames together aren't allowed.
Inline VLANs and vlanGroupNames together aren't allowed.
ipGroupNames and ipPrefixValues together aren't allowed.
Egress ACLs don't support IP options, IP length, fragment, EtherType, DSCP marking, or TTL values.
Ingress ACLs don't support EtherType options.
Create an ingress ACL
To create an ingress ACL, you can use the following Azure CLI command. This command creates an ingress ACL with the specified configurations and provides the expected result as output. Adjust the parameters as needed for your use case.
To create an egress ACL, you can use the following Azure CLI command. This command creates an egress ACL with the specified configurations and provides the expected result as output. Adjust the parameters as needed for your use case.
This step enables the creation of ACLs (ingress and egress if a reference is provided) during the creation of the NNI resource. After you create the NNI and before you provision the network fabric, you can perform re-put on the NNI.
ingressAclId: Reference ID for the ingress ACL.
egressAclId: Reference ID for the egress ACL.
To get the Resource Manager resource ID, go to the resource group of the subscription that you're using.
The following command updates the Resource Manager reference for the NNI resource by associating it with the provided ingress and egress ACLs. Adjust the parameters as needed for your use case.
To display the details of a specified ACL, use the following command:
Bash
az networkfabric acl show --resource-group "example-rg" --resource-name "example-acl"
List ACLs
To list all ACLs within a specified resource group, use the following command:
Bash
az networkfabric acl list --resource-group "ResourceGroupName"
Create ACLs on the ISD external network
Use the following information to create ingress and egress ACLs for the isolation domain (ISD) external network. Then, update the Resource Manager resource reference for the external network.
Create an egress ACL for the ISD external network
To create an egress ACL for the specified ISD external network with the provided configuration, use the following command. Adjust the parameters as needed for your use case.
Upon successful execution, the command returns information about the created ACL in the following format. This output includes details about the configuration and state.
Create an ingress ACL for the ISD external network
To create an ingress ACL for the specified ISD external network with the provided configuration, use the following command. Adjust the parameters as needed for your use case.
Upon successful execution, the command returns information about the created ACL in the following format. This output includes details about the configuration and state.