Using network limitations to limit access between computers and networks, even in virtual environments, is common practice. For instance, let's say you need to deny network access by a particular IP address or virtual machine to another virtual machine or to an entire network. In earlier versions of Hyper-V, you would have needed additional software or a network device to define these rules, making it more complicated and expensive.
Since Windows 2012, Hyper-V has supported a feature called Port ACLs, which enforces policies to block or allow network traffic on a virtual machine, IP address, or network range. These policies are created via PowerShell, and administrators can use them to control network traffic sent and received through the Hyper-V virtual switch.
Port ACLs will act as a network firewall and can be used to define the direction, address, and action for network rules.
This recipe will demonstrate how to create and analyze Port ACLs by using Hyper-V.
Before starting to create the Port ACLs rules, make sure your network infrastructure (such as subnets, routers, and IP address) is configured and working properly.
In the following steps, you will be shown how to use the Port ACLs cmdlets to add, visualize, and remove rules for virtual machines:
powershell
, to open Windows PowerShell.Add-VMNetworkAdapterAcl
command, specifying the virtual machine after VMName
and the network range after RemoteIPaddress
. The following example denies the virtual machine named Win2016
outbound connections to any IP in the 192.168.0.0/24
network:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.0.0/24 –Direction Outbound –Action Deny
Win2016
and had the inbound connections denied from ANY
remote IP address:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress ANY –Direction Inbound –Action Deny
Network Adapter
in the virtual machine Win2016
had all connections allowed if the IP address was 192.168.1.1
:Add-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.1.1 –Direction both –Action Allow –VMNetworkName "Network Adapter"
Get-VM
cmdlet and add the actions you want. The following example gets every virtual machine starting with SRVDMZ
and creates a rule to deny any connection from and to the IP address 131.107.1.1
:Get-VM –Name SRVDMZ* | Add-VMNetworkAdapterAcl –RemoteIPAddress 131.107.1.1 –Direction both Action Deny
Get-VMNetworkAdapterACL
The following screenshot shows a list with rules for every virtual machine:
Remove-VMNetworkAdaterAcl
. In this example, the rule that allows connections from both directions has been removed:Remove-VMNetworkAdapterAcl –VMName Win2016 –RemoteIPAddress 192.168.0.0 –Direction both –Action Allow –VMNetworkName "Network Adapter"
Port ACLs is one of the features that can only be managed by using PowerShell. The three main commands to administer Port ACLs are as follows:
Add-VMNetworkAdapterAcl
Get-VMNetworkAdapterAcl
Remove-VMNetworkAdapterAcl
The first command, Add-VMNetworkAdapterAcl
, is used to create new rules. To create them, the command needs inputs such as the VM name, action, direction, and remote IP address.
The Action
syntax can have one of these three values: Allow
, Deny
, and meter
. It will define what the rule actually does when the policy attributes match.
The Direction
input allows you to choose in which direction the rule will be applied. The available options are inbound
, outbound
, and both.
The RemoteIPAddress
or RemoteMacAddress
syntax specifies the destination for which you want to apply the rule. RemoteIPAddress
accepts single IP addresses or IP addresses with the subnet mask, and RemoteMacAddress
can be used to specify a particular MAC address.
After creating the rules, you can use the command Get-VMNetworkAdapterAcl
to view all existing rules. You can see all policies by simply typing Get-VMNetworkAdapterAcl
, or by using syntaxes to create filters to show them by VM name, VM network adapter, computer name, management OS, and snapshot.
The command used to remove Port ACLs rules is Remove-VMNetworkAdapterAcl
. The syntaxes used are the same as for Add-VMNetworkAdapterAcl
. You can type the same command used to add a rule; just swap Add with Remove to remove the existing rule.
Port ACLs will be very handy when you need to limit the communication for a particular IP address (or range) between virtual machines. This is already common in server scenarios, but now you don't need to rely on physical devices such as switches or routers to do so.
Using these three PowerShell cmdlets, you will be able to manage and automate all the basic Port ACLs rules.
18.118.166.98