3.1.5.1.2 aclRules
The aclRules resource describes the network traffic that is allowed or denied for a network interface of a virtual machine. Currently, only inbound rules are expressed.
It is invoked through the following URI.
-
https://<url>/networking/v1/accessControlLists/{parentResourceId}/aclRules/{resourceId}
url: The address or name of the REST server of the Network Controller.
parentResourceId: the identifier for the specific ancestor resource within the resource type. See section 2.2.3.3 for more details.
resourceId: the identifier for the specific descendant resource within the resource type. See section 2.2.3.4 for more details.
Note The server MAY support additional versions, v1 or later, in the URI.
The following HTTP methods can be performed on this resource.
HTTP method |
Section |
Description |
---|---|---|
PUT |
Create a new aclRules resource or update an existing aclRules resource. |
|
GET |
Get one aclRules resource. |
|
GET ALL |
List all aclRules resources in the Network Controller. |
|
DELETE |
Delete an aclRules resource. |
The following property elements are valid.
Element name |
Type |
Description |
---|---|---|
etag |
Read-only |
Specified in Common JSON Elements, section 2.2.2. |
provisioningState |
Read-only |
Specified in Common JSON Elements, section 2.2.2. |
action |
Required |
Indicates the action the ACL Rule will take. Valid values are Allow or Deny. There is no default value because it is a required element. |
description |
Optional |
Indicates a description of the ACL rule. |
destinationAddressPrefix |
Required |
Indicates the classless inter-domain routing (CIDR) value of destination IP or a pre-defined tag to which traffic is destined. You can specify 0.0.0.0/0 for IPv4 all and ::/0 for IPv6 all traffic. The asterisk (*) can be specified for all the IPv4 and IPv6 traffic combined. Pre-defined tags can also be used within aclRules which are being applied to virtual subnets or IP configurations of virtual subnets. Pre-defined tags cannot be applied to IP configurations of logical subnets. Valid pre-defined TAG values are VIRTUALNETWORK, INTERNET, or AZURELOADBALANCER. VIRTUALNETWORK - This tag denotes all your virtual network address space. INTERNET - This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. AZURELOADBALANCER - This tag denotes the datacenter IP addresses from which the load balancer health probes originate. |
destinationSecurityTags |
Optional |
An array of securityTags resources that acts as the destination field of the ACL rule. IP addresses of network interfaces associated with the security tags are concatenated and assigned to the destination IP field of the ACL rule. This field MUST not be included or be an empty array if the property destinationAddressPrefix contains at least one address prefix. This property is supported in URI version v5 or later. |
destinationPortRange |
Required |
Indicates the destination ports that will trigger this ACL rule. Valid values include a single port, port range separated by hyphen (-), or asterisk (*) for all ports. All numbers are inclusive. Example: 80, 80-80, 80-81, * |
logging |
Required |
Indicates whether logging will be turned on for when this rule gets triggered. Valid values are Enabled or Disabled. The default value is Enabled. |
priority |
Required |
Indicates the priority of the rule relative to the priority of other ACL rules. This is a unique numeric value in the context of an accessControlLists resource. Value from 101 – 65000 are user defined. Values 1- 100 and 65001 – 65535 are reserved. |
protocol |
Required |
Indicates the protocol to which the ACL rule will apply. Allowed values are TCP, UDP, HTTP, ICMPv4, ICMPv6, and All. The value "All" means any protocol. ICMPv4 and ICMPv6 are supported with URI version v3 or later. |
sourceAddressPrefix |
Required |
Indicates the CIDR value of source IP or a pre-defined TAG from which traffic is originating. You can specify 0.0.0.0/0 for IPv4 all and ::/0 forIPv6 all traffic. The asterisk (*) can be specified for all the IPv4 and IPv6 traffic combined. Valid pre-defined TAG values are VIRTUALNETWORK, INTERNET, or AZURELOADBALANCER. VIRTUALNETWORK - This tag denotes all your virtual network address space. INTERNET - This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. AZURELOADBALANCER - This tag denotes the datacenter IP addresses from which the load balancer health probes originate. |
sourceSecurityTags |
Optional |
An array of securityTags resources that acts as the source field of the ACL rule. IP addresses of network interfaces associated with the security tags are concatenated and assigned to the source IP field of the ACL rule. This field MUST not be included or be an empty array if the property sourceAddressPrefix contains at least one address prefix. This property is supported in URI version v5 or later. |
sourcePortRange |
Required |
Indicates the source ports that will trigger this ACL rule. Valid values include a single port, port range separated by hyphen (-), or asterisk (*) for all ports. All numbers are inclusive. Example: 80, 80-80, 80-81, * |
type |
Required |
Indicates whether the rule is to be evaluated against ingress traffic (Inbound) or egress traffic (Outbound). Valid values are Inbound or Outbound. There is no default value because it is a required element. |