Use default network access policies on virtual machines on Azure Local, version 23H2

Applies to: Azure Local, version 23H2

Applies to: Windows Server 2025

This article describes how to enable default network access policies and assign them to virtual machines (VMs).

Default network policies can be used to protect virtual machines running from external unauthorized attacks. These policies block all inbound access to virtual machines (except the specified management ports you want enabled) while allowing all outbound access. Use these policies to ensure that your workload VMs have access to only required assets, making it difficult for the threats to spread laterally.

Note

In this release, you can enable and assign default network policies through the Windows Admin Center.

Prerequisites

Complete the following prerequisites to use network access policies:

Assign default network policies to a VM

You can attach default policies to a VM in two ways:

  • During VM creation. You need to attach the VM to a logical network (traditional VLAN network) or an SDN virtual network.
  • Post VM creation.

Create and attach networks

Depending on the type of network you want to attach your VM to, steps might be different.

  • Attach VMs to a physical network: Create one or more logical networks to represent those physical networks. A logical network is just a representation of one or more physical networks available to Azure Local. For more information, see how to Create a logical network.

  • Attach VMs to a SDN virtual network: Create a virtual network before you create the VM. For more information, see how to Create a virtual network.

Attach VM to a logical network

After you have created a logical network in Windows Admin Center, you can create a VM in Windows Admin Center and attach it to the logical network. As part of VM creation, select the Isolation Mode as Logical Network, select the appropriate Logical Subnet under the Logical Network, and provide an IP address for the VM.

Note

Unlike in Azure Local, version 22H2, you can no longer connect a VM directly to a VLAN using Windows Admin Center. Instead, you must create a logical network representing the VLAN, create a logical network subnet with the VLAN, and then attach the VM to the logical network subnet.

Note

You must create a logical network representing the VLAN, create a logical network subnet with the VLAN, and then attach the VM to the logical network subnet.

Here's an example that explains how you can attach your VM directly to a VLAN when Network Controller is installed. In this example, we demonstrate how to connect your VM to VLAN 5:

  1. Create a logical network with any name. Ensure that Network Virtualization is disabled.

  2. Add a logical subnet with any name. Provide the VLAN ID (5) when creating the subnet.

  3. Apply the changes.

  4. When creating a VM, attach it to the logical network and logical network subnet created earlier. For more information, see how to Create a logical network.

    Screenshot showing how to attach VM directly to VLAN.

Apply default network policies

When you create a VM through Windows Admin Center, you see a Security level setting.

Screenshot showing the three security level options for VMs in Windows Admin Center.

You have three options:

  • No protection - Choose this option if you don't want to enforce any network access policies to your VM. When this option is selected, all ports on your VM are exposed to external networks posing a security risk. This option isn't recommended.

    Screenshot showing the No protection option selected for VMs in Windows Admin Center.

  • Open some ports - Choose this option to go with default policies. The default policies block all inbound access and allow all outbound access. You can optionally enable inbound access to one or more well defined ports, for example, HTTP, HTTPS, SSH, or RDP as per your requirements.

    Screenshot showing the ports that can be opened on VMs specified during VM creation in Windows Admin Center.

  • Use existing NSG - Choose this option to apply custom policies. You specify a Network Security Group (NSG) that you've already created.

    Screenshot showing the existing network security group selected during VM creation in Windows Admin Center.

VMs created outside of Windows Admin Center

You might encounter issues when you create VMs outside of Windows Admin Center and you have enabled default network access policies. For example, you've enabled default network access policies and created VMs using Hyper-V UI or New-VM PowerShell cmdlet.

  • The VMs might not have network connectivity. Since the VM is being managed by a Hyper-V switch extension called Virtual Filtering Platform (VFP) and by default, the Hyper-V port connected to the VM is in blocked state.

    To unblock the port, run the following commands from a PowerShell session on a Hyper-V host where the VM is located:

    1. Run PowerShell as an administrator.

    2. Download and install the SdnDiagnostics module. Run the following command:

      Install-Module -Name SdnDiagnostics
      

      Alternatively, if already installed then use the following command:

      Update-Module -Name SdnDiagnostics
      

      Accept all prompts to install from PowerShell Gallery.

    3. Confirm if VFP port is applied to the VM

      Get-SdnVMNetworkAdapterPortProfile -VMName <VMName>
      

      Ensure that VFP port profile information is returned for the adapter. If not, then proceed with associating a port profile.

    4. Specify the ports to be unblocked on the VM.

      Set-SdnVMNetworkAdapterPortProfile -VMName <VMName> -MacAddress <MACAddress> -ProfileId ([guid]::Empty) -ProfileData 2
      
  • The VM doesn't have default network policies applied. Since this VM was created outside Windows Admin Center, the default policies for the VM aren't applied, and the Network Settings for the VM doesn't display correctly. To rectify this issue, follow these steps:

    In Windows Admin Center, Create a logical network. Create a subnet under the logical network and provide no VLAN ID or subnet prefix. Then, attach a VM to the logical network using the following steps:

    1. Under Tools, scroll down to the Networking area, and select Virtual machines

    2. Select the Inventory tab, select the VM, and then select Settings.

    3. On the Settings page, select Networks.

    4. For Isolation Mode, select Logical Network.

    5. Select the Logical network and Logical subnet that you created earlier.

      1. For Security level, you have two options:

        1. No Protection: Choose this if you don't want any network access policies for your VMs.
        2. Use existing NSG: Choose this if you want to apply network access policies for your VMs. You can either create a new NSG and attach it to the VM or you can attach any existing NSG to the VM.

    Screenshot showing how to enable default network to VLAN.

  • The VM doesn't have default network policies applied. Since this VM was created outside Windows Admin Center, the default policies for the VM aren't applied, and the Network Settings for the VM doesn't display correctly. To rectify this issue, follow these steps:

    In Windows Admin Center, Create a logical network. Create a subnet under the logical network and provide no VLAN ID or subnet prefix. Then, attach a VM to the logical network using the following steps:

    1. Under Tools, scroll down to the Networking area, and select Virtual machines

    2. Select the Inventory tab, select the VM, and then select Settings.

    3. On the Settings page, select Networks.

    4. For Isolation Mode, select Logical Network.

    5. Select the Logical network and Logical subnet that you created earlier.

      1. For Security level, you have two options:

        1. No Protection: Choose this if you don't want any network access policies for your VMs.
        2. Use existing NSG: Choose this if you want to apply network access policies for your VMs. You can either create a new NSG and attach it to the VM or you can attach any existing NSG to the VM.

    Screenshot showing how to enable default network to VLAN.

Next steps

Learn more about: