Using network limitations to limit access between computers and networks, even in virtual environments, is common practice. For instance, let's say you need to deny network access by a particular IP address or virtual machine to another virtual machine or to an entire network. In earlier versions of Hyper-V, you would have needed additional software or a network device to define these rules, making it more complicated and expensive.
Since Windows 2012, Hyper-V has supported a feature called Port ACLs, which enforces policies to block or allow network traffic on a virtual machine, IP address, or network range. These policies are created via PowerShell, and administrators can use them to control network traffic sent and received through the Hyper-V virtual switch.
Port ACLs will act as a network firewall and can be used to define the direction, address, and action for network rules.
This recipe will demonstrate how to create and analyze Port ACLs by using Hyper-V.
Before starting to create the Port ACLs rules, make sure your network infrastructure (such as subnets, routers, and IP address) is configured and working properly.
In the following steps, you will be shown how to use the Port ACLs cmdlets to add, visualize, and remove rules for virtual machines:
- Launch the Start menu and type
powershell, to open Windows PowerShell. - To block outbound access by a virtual machine to an IP range, use the
Add-VMNetworkAdapterAclcommand, specifying the virtual machine afterVMNameand the network range afterRemoteIPaddress. The following example denies the virtual machine namedWin2016outbound connections to any IP in the192.168.0.0/24network:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.0.0/24 –Direction Outbound –Action Deny - To deny inbound access to a virtual machine by any IP address, type the following command. In the example, we used a virtual machine named
Win2016and had the inbound connections denied fromANYremote IP address:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress ANY –Direction Inbound –Action Deny - To allow a particular IP address outbound and inbound connection to a virtual machine, use the following command. In this example, the network adapter named
Network Adapterin the virtual machineWin2016had all connections allowed if the IP address was192.168.1.1:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.1.1 –Direction both –Action Allow –VMNetworkName "Network Adapter" - For bulk configuration of more than one virtual machine at the same time, create a filter using the
Get-VMcmdlet and add the actions you want. The following example gets every virtual machine starting withSRVDMZand creates a rule to deny any connection from and to the IP address131.107.1.1:Get-VM –Name SRVDMZ* | Add-VMNetworkAdapterAcl –RemoteIPAddress 131.107.1.1 –Direction both Action Deny - To view all Port ACLs rules per virtual machine, type the following command:
Get-VMNetworkAdapterACLThe following screenshot shows a list with rules for every virtual machine:
Configuring Port ACLs – Viewing Port ACL rules
- To remove an existing rule, use the cmdlet
Remove-VMNetworkAdaterAcl. In this example, the rule that allows connections from both directions has been removed:Remove-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.0.0 –Direction both –Action Allow –VMNetworkName "Network Adapter"
Port ACLs is one of the features that can only be managed by using PowerShell. The three main commands to administer Port ACLs are as follows:
Add-VMNetworkAdapterAclGet-VMNetworkAdapterAclRemove-VMNetworkAdapterAcl
The first command, Add-VMNetworkAdapterAcl, is used to create new rules. To create them, the command needs inputs such as the VM name, action, direction, and remote IP address.
The Action syntax can have one of these three values: Allow, Deny, and meter. It will define what the rule actually does when the policy attributes match.
The Direction input allows you to choose in which direction the rule will be applied. The available options are inbound, outbound, and both.
The RemoteIPAddress or RemoteMacAddress syntax specifies the destination for which you want to apply the rule. RemoteIPAddress accepts single IP addresses or IP addresses with the subnet mask, and RemoteMacAddress can be used to specify a particular MAC address.
After creating the rules, you can use the command Get-VMNetworkAdapterAcl to view all existing rules. You can see all policies by simply typing Get-VMNetworkAdapterAcl, or by using syntaxes to create filters to show them by VM name, VM network adapter, computer name, management OS, and snapshot.
The command used to remove Port ACLs rules is Remove-VMNetworkAdapterAcl. The syntaxes used are the same as for Add-VMNetworkAdapterAcl. You can type the same command used to add a rule; just swap Add with Remove to remove the existing rule.
Port ACLs will be very handy when you need to limit the communication for a particular IP address (or range) between virtual machines. This is already common in server scenarios, but now you don't need to rely on physical devices such as switches or routers to do so.
Using these three PowerShell cmdlets, you will be able to manage and automate all the basic Port ACLs rules.
- The Learning and utilizing basic commands in PowerShell recipe in Chapter 4, Saving Time and Cost with Hyper-V Automation