Jaa


Using Port ACLs in Hyper-V 2012

Hi,

recently, I had an issue where it was needed to carefully control which machines can talk to each other by using a feature in Server 2012: Port Access Contol Lists (ACLs)

The feature is described in https://technet.microsoft.com/en-us/library/jj679878.aspx but might require more explanation. You can use the ACLs on MacAddresses or IPAddresses and additionaly specify Local or Remote. This should be considered Local or Remote from the VMs perspective. So the example in the above link actually disables all MacAddresses but only allows one local Mac inside the VM (and it is missing one Byte)

Let me give you another example, that limits the IP traffic to only one other machines.

W12testvm1 has IP 10.0.0.131 and it should only communicate with W12testvm2 which has IP 10.0.0.160
The PS commands are issued on the host running w12testvm1

1. „Block all IPs outgoing from w12testvm1“
add-VMNetworkAdapterAcl  -VMName w12testvm1 -LocalIPAddress any -Direction Both -Action deny

2. „Allow the IP of w12testvm1 to be sent and received“
  add-VMNetworkAdapterAcl  -VMName w12testvm1 -LocalIPAddress 10.0.0.131 -Direction Both -Action allow

3. „Block all IPs incoming to w12testvm1 “
add-VMNetworkAdapterAcl  -VMName w12testvm1 -RemoteIPAddress any -Direction Both -Action deny

4. „Allow only the IP of w12testvm2 incomming“
add-VMNetworkAdapterAcl  -VMName w12testvm1 -RemoteIPAddress 10.0.0.160 -Direction Both -Action allow

 To now query the current setting use

PS C:\Windows\system32> Get-VMNetworkAdapterAcl -VMName w12testvm1

VMName: w12testvm1

Direction    Address                                                  Action           
---------        -------                                                      ------           
Inbound      Local  10.0.0.131                                   Allow            
Inbound      Local  0.0.0.0/0                                      Deny             
Inbound      Local  ::/0                                               Deny             
Inbound      Remote ::/0                                            Deny             
Inbound      Remote 10.0.0.160                                Allow            
Inbound      Remote 0.0.0.0/0                                   Deny             
Outbound     Local  ::/0                                             Deny             
Outbound     Local  10.0.0.131                                 Allow            
Outbound     Local  0.0.0.0/0                                    Deny             
Outbound     Remote ::/0                                          Deny             
Outbound     Remote 0.0.0.0/0                                 Deny             
Outbound     Remote 10.0.0.160                              Allow

Hope you find this usefull

Cheers
Robert