Creating Access Control List (ACL) management for NNI and layer 3 isolation domain external networks
Access Control Lists (ACLs) are a set of rules that regulate inbound and outbound packet flow within a network. Azure's Nexus Network Fabric service offers an API-based mechanism to configure ACLs for network-to-network interconnects and layer 3 isolation domain external networks. This guide outlines the steps to create ACLs.
Creating Access Control Lists (ACLs)
To create an ACL and define its properties, you can utilize the az networkfabric acl create command. Below are the steps involved:
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- Set subscription (if necessary):
If you have multiple subscriptions and need to set one as the default, you can do so with:
az account set --subscription <subscription-id>
- Create ACL:
az networkfabric acl create --resource-group "<resource-group>" --location "<location>" --resource-name "<acl-name>" --annotation "<annotation>" --configuration-type "<configuration-type>" --default-action "<default-action>" --match-configurations "[{matchConfigurationName:<match-config-name>,sequenceNumber:<sequence-number>,ipAddressType:<IPv4/IPv6>,matchConditions:[{ipCondition:{type:<SourceIP/DestinationIP>,prefixType:<Prefix/Exact>,ipPrefixValues:['<ip-prefix1>', '<ip-prefix2>', ...]}}],actions:[{type:<Action>}]}]"
| Parameter | Description |
|---|---|
| Resource Group | Specify the resource group of your network fabric. |
| Location | Define the location where the ACL is created. |
| Resource Name | Provide a name for the ACL. |
| Annotation | Optionally, add a description or annotation for the ACL. |
| Configuration Type | Specify whether the configuration is inline or by using a file. |
| Default Action | Define the default action to be taken if no match is found. |
| Match Configurations | Define the conditions and actions for traffic matching. |
| Actions | Specify the action to be taken based on match conditions. |
Parameters usage guidance
The table below provides guidance on the usage of parameters when creating ACLs:
| Parameter | Description | Example or Range |
|---|---|---|
| defaultAction | Defines default action to be taken | "defaultAction": "Permit" |
| resource-group | Resource group of network fabric | nfresourcegroup |
| resource-name | Name of ACL | example-ingressACL |
| vlanGroups | List of VLAN groups | |
| vlans | List of VLANs that need to be matched | |
| match-configurations | Name of match configuration | example_acl |
| matchConditions | Conditions required to be matched | |
| ttlValues | TTL [Time To Live] | 0-255 |
| dscpMarking | DSCP Markings that need to be matched | 0-63 |
| fargments | Specify the IP fragment packets | Range: 1-8191 Example: [1, 5, 1250-1300, 8000-8191] |
| portCondition | Port condition that needs to be matched | |
| portType | Port type that needs to be matched | Example: SourcePort |
| ports | Port number that needs to be matched | Range: 0-65535 Example: [1, 10, 500, 1025-1050, 64000-65535] |
| protocolTypes | Protocols that need to be matched | [tcp, udp, range[1-2, 1, 2]] |
| vlanMatchCondition | VLAN match condition that needs to be matched | |
| layer4Protocol | Layer 4 Protocol | should be either TCP or UDP |
| ipCondition | IP condition that needs to be matched | |
| actions | Action to be taken based on match condition | Example: permit |
| configuration-type | Configuration type (inline or file) | Example: inline |
Note
- Inline ports and inline VLANs are statically defined using azcli.
- PortGroupNames and VlanGroupNames are dynamically defined.
- Combining inline ports with portGroupNames is not allowed, similarly for inline VLANs and VLANGroupNames.
- IPGroupNames and IpPrefixValues cannot be combined.
- Egress ACLs do not support certain options like IP options, IP length, fragment, ether-type, DSCP marking, and TTL values.
- Ingress ACLs do not support the following options: etherType.
- Ports inputs can be
port-numberorrange-of-ports. - Fragments inputs can be
port-numberorrange-of-ports. - ACL with dynamic match configuration on eternal networks is not supported.
Example payload for ACL creation
az networkfabric acl create --resource-group "example-rg" --location "eastus2euap" --resource-name "example-Ipv4ingressACL" --annotation "annotation" --configuration-type "Inline" --default-action "Deny" --match-configurations "[{matchConfigurationName:example-match,sequenceNumber:1110,ipAddressType:IPv4,matchConditions:[{ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.18.0.124/30','10.18.0.128/30','10.18.30.16/30','10.18.30.20/30']}},{ipCondition:{type:DestinationIP,prefixType:Prefix,ipPrefixValues:['10.18.0.124/30','10.18.0.128/30','10.18.30.16/30','10.18.30.20/30']}}],actions:[{type:Count}]}]"
Example output
{
"administrativeState": "Disabled",
"annotation": "annotation",
"configurationState": "Succeeded",
"configurationType": "Inline",
"defaultAction": "Deny",
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Fab3LabNF-4-0/providers/Microsoft.ManagedNetworkFabric/accessControlLists/L3domain091123-Ipv4egressACL",
"location": "eastus2euap",
"matchConfigurations": [
{
"actions": [
{
"type": "Count"
}
],
"ipAddressType": "IPv4",
"matchConditions": [
{
"ipCondition": {
"ipPrefixValues": [
"10.18.0.124/30",
"10.18.0.128/30",
"10.18.30.16/30",
"10.18.30.20/30"
],
"prefixType": "Prefix",
"type": "SourceIP"
}
},
{
"ipCondition": {
"ipPrefixValues": [
"10.18.0.124/30",
"10.18.0.128/30",
"10.18.30.16/30",
"10.18.30.20/30"
],
"prefixType": "Prefix",
"type": "DestinationIP"
}
}
],
"matchConfigurationName": "example-Ipv4ingressACL ",
"sequenceNumber": 1110
}
],
"name": "example-Ipv4ingressACL",
"provisioningState": "Succeeded",
"resourceGroup": "Fab3LabNF-4-0",
"systemData": {
"createdAt": "2023-09-11T10:20:20.2617941Z",
"createdBy": "user@email.com",
"createdByType": "User",
"lastModifiedAt": "2023-09-11T10:20:20.2617941Z",
"lastModifiedBy": "user@email.com",
"lastModifiedByType": "User"
},
"type": "microsoft.managednetworkfabric/accesscontrollists"
}
Note
After creating the ACL, make sure to note down the ACL reference ID for further reference.