3.1.5.1.2 aclRules
The aclRules resource describes the network traffic that is allowed or denied for a network interface of a virtual machine. Currently, only inbound rules are expressed.
It is invoked through the following URI.
-
https://<url>/networking/v1/accessControlLists/{parentResourceId}/aclRules/{resourceId}
url: The address or name of the REST server of the Network Controller.
parentResourceId: the identifier for the specific ancestor resource within the resource type. See section 2.2.3.3 for more details.
resourceId: the identifier for the specific descendant resource within the resource type. See section 2.2.3.4 for more details.
Note The server MAY support additional versions, besides v1 in the URI.
The following HTTP methods can be performed on this resource.
|
HTTP method |
Section |
Description |
|---|---|---|
|
PUT |
Create a new aclRules resource or update an existing aclRules resource. |
|
|
GET |
Get one aclRules resource. |
|
|
GET ALL |
List all aclRules resources in the Network Controller. |
|
|
DELETE |
Delete an aclRules resource. |
The following property elements are valid.
|
Element name |
Type |
Description |
|---|---|---|
|
etag |
Read-only |
Specified in Common JSON Elements, section 2.2.2. |
|
provisioningState |
Read-only |
Specified in Common JSON Elements, section 2.2.2. |
|
action |
Required |
Indicates the action the ACL Rule will take. Valid values are Allow or Deny. There is no default value since it is a required element. |
|
description |
Optional |
Indicates a description of the ACL rule. |
|
destinationAddressPrefix |
Required |
Indicates the classless inter-domain routing (CIDR) value of destination IP or a pre-defined tag to which traffic is destined. You can specify 0.0.0.0/0 for IPv4 all and ::/0 for IPv6 all traffic. The asterisk (*) can be specified for all the IPv4 and IPv6 traffic combined. Pre-defined tags can also be used within aclRules which are being applied to virtual subnets or IP configurations of virtual subnets. Pre-defined tags cannot be applied to IP configurations of logical subnets. Valid pre-defined TAG values are VIRTUALNETWORK, INTERNET, or AZURELOADBALANCER. VIRTUALNETWORK - This tag denotes all your virtual network address space. INTERNET - This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. AZURELOADBALANCER - This tag denotes the datacenter IP addresses from which the load balancer health probes originate. |
|
destinationPortRange |
Required |
Indicates the destination ports that will trigger this ACL rule. Valid values include a single port, port range separated by hyphen (-), or asterisk (*) for all ports. All numbers are inclusive. Example: 80, 80-80, 80-81, * |
|
logging |
Required |
Indicates whether logging will be turned on for when this rule gets triggered. Valid values are Enabled or Disabled. The default value is Enabled. |
|
priority |
Required |
Indicates the priority of the rule relative to the priority of other ACL rules. This is a unique numeric value in the context of an accessControlLists resource. Value from 101 – 65000 are user defined. Values 1- 100 and 65001 – 65535 are reserved. |
|
Required |
Indicates the protocol to which the ACL rule will apply. Allowed values are TCP, UDP, ICMPv4, ICMPv6, and *. The asterisk (*) means any protocol. ICMPv4 and ICMPv6 are supported with URI version v3 or later. |
|
|
sourceAddressPrefix |
Required |
Indicates the CIDR value of source IP or a pre-defined TAG from which traffic is originating. You can specify 0.0.0.0/0 for IPv4 all and ::/0 forIPv6 all traffic. The asterisk (*) can be specified for all the IPv4 and IPv6 traffic combined. Valid pre-defined TAG values are VIRTUALNETWORK, INTERNET, or AZURELOADBALANCER. VIRTUALNETWORK - This tag denotes all your virtual network address space. INTERNET - This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. AZURELOADBALANCER - This tag denotes the datacenter IP addresses from which the load balancer health probes originate. |
|
sourcePortRange |
Required |
Indicates the source ports that will trigger this ACL rule. Valid values include a single port, port range separated by hyphen (-), or asterisk (*) for all ports. All numbers are inclusive. Example: 80, 80-80, 80-81, * |
|
type |
Required |
Indicates whether the rule is to be evaluated against ingress traffic (Inbound) or egress traffic (Outbound). Valid values are Inbound or Outbound. There is no default value since it is a required element. |