Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowAllow and block VM traffic using SDN port ACLs
In System Center Virtual Machine Manager (VMM), you can centrally configure and manage software defined network (SDN) port access control lists (ACLs).
- A port ACL is a set of port ACL rules that filter the traffic at layer 2 port level.
- A port ACL in VMM filters access to a specific VMM network object.
- Each VMM network object can have only one port ACL attached.
- An ACL contains rules and can be attached to any number of VMM network objects. You can create an ACL without rules and add the rules later.
- If an ACL has multiple rules, they're applied based on the priority. After a rule matches the criteria and is applied, no other rules are processed.
- SDN Port ACLs can be applied to virtual subnets and virtual network adapters.
Note
Port ACL settings are exposed only through PowerShell cmdlets in VMM and can't be configured in the VMM console.
Using VMM PowerShell, you can also configure Hyper-V port ACLs. For more information, see Hyper-V port ACLs.
This article provides information on how to create and manage SDN port ACLs by using the VMM PowerShell cmdlets.
Ensure that SDN network controller is deployed.
Open PowerShell in VMM.
Create a port ACL.
PowerShellPS C:\> New-SCPortACL -Name "RDPAccess" -Description "PortACL to control RDP access" -ManagedByNCNote
The parameter -ManagedByNC ensures that the port ACL is managed by Network Controller (NC) and can only be attached to NC managed objects. The cmdlets provided here use example values.
Get an existing port ACL.
PowerShellPS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"Create a port ACL rule.
PowerShellPS C:\> New-SCPortACLRule -Name "AllowRDPAccess" -PortACL $portACL -Description "Allow RDP Rule from a subnet" -Action Allow -Type Inbound -Priority 110 -Protocol Tcp -LocalPortRange 3389 -RemoteAddressPrefix 10.184.20.0/24Note
- Priority range for SDN port ACL rules: 1 – 64500.
- Only TCP/UDP/Any protocol parameters are supported for creating ACL rules.
Get the virtual network adapter.
PowerShellPS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM” PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm"Attach an existing port ACL to the virtual network adapter.
PowerShellPS C:\> $portACL = Get-SCPortACL -Name "RDPAccess" PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -PortACL $portACLNote
You can also attach a port ACL while creating the virtual network adapter through New-SCVirtualNetworkAdapter cmdlet. Learn more.
Get the virtual network adapter that you want to detach the port ACL from.
PowerShellPS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM” PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vmDetach the port ACL from the virtual network adapter.
PowerShellPS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -RemovePortACL
Get the VM subnet to attach the ACL.
PowerShellPS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”Attach an existing port ACL to the VM subnet.
PowerShellPS C:\> Set-SCVMSubnet -VMSubnet $vmSubnet -PortACL $portACLNote
You can also attach a port ACL while creating VM subnet through New-SCVMSubnet cmdlet. Learn more.
Get the VM subnet that you want to detach the port ACL from.
PowerShellPS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”Detach the port ACL from the VM subnet.
PowerShellPS C:\> Set-SCVMSubnet –VMSubnet $vmSubnet -RemovePortACL
Get the port ACL rule that you want to remove.
PowerShellPS C:\> $portACLRule = Get-SCPortACLRule –Name “AllowRDPAccess”Remove the port ACL rule.
PowerShellPS C:\> Remove-SCPortACLRule -PortACLRule $portACLRule
Get the port ACL that you want to remove.
PowerShellPS C:\> $portACL = Get-SCPortACL -Name “RDPAccess”Remove the port ACL.
PowerShellPS C:\> Remove-SCPortACL -PortACL $portACL
Additional resources
Training
Module
Create and implement application allowlists with adaptive application control - Training
You're able to implement Adaptive application controls within your organization to protect your Windows Server IaaS VMs.
Certification
Microsoft Certified: Azure Network Engineer Associate - Certifications
Demonstrate the design, implementation, and maintenance of Azure networking infrastructure, load balancing traffic, network routing, and more.