Allow and block VM traffic using SDN port ACLs
Important
This version of Virtual Machine Manager (VMM) has reached the end of support. We recommend you to upgrade to VMM 2022.
In System Center Virtual Machine Manager (VMM), you can centrally configure and manage software defined network (SDN) port access control lists (ACLs).
- A port ACL is a set of port ACL rules that filter the traffic at layer 2 port level.
- A port ACL in VMM filters access to a specific VMM network object.
- Each VMM network object can have only one port ACL attached.
- An ACL contains rules and can be attached to any number of VMM network objects. You can create an ACL without rules, and add the rules later.
- If an ACL has multiple rules, they're applied based on the priority. After a rule matches the criteria and is applied, no other rules are processed.
- SDN Port ACLs can be applied to virtual subnets and virtual network adapters.
Note
Port ACL settings are exposed only through PowerShell cmdlets in VMM and can't be configured in the VMM console.
Using VMM PowerShell, you can also configure Hyper-V port ACLs. For more information, see Hyper-V port ACLs.
This article provides information on how to create and manage SDN port ACLs by using the VMM PowerShell cmdlets.
Before you start
Ensure that SDN network controller is deployed.
Create a port ACL
Open PowerShell in VMM.
Create a port ACL.
PS C:\> New-SCPortACL -Name "RDPAccess" -Description "PortACL to control RDP access" -ManagedByNC
Note
The parameter -ManagedByNC ensures that the port ACL is managed by Network Controller (NC) and can only be attached to NC managed objects. The cmdlets provided here use example values.
Create a port ACL rule
Get an existing port ACL.
PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"
Create a port ACL rule.
PS C:\> New-SCPortACLRule -Name "AllowRDPAccess" -PortACL $portACL -Description "Allow RDP Rule from a subnet" -Action Allow -Type Inbound -Priority 110 -Protocol Tcp -LocalPortRange 3389 -RemoteAddressPrefix 10.184.20.0/24
Note
- Priority range for SDN port ACL rules: 1 – 64500.
- Only TCP/UDP/Any protocol parameters are supported for creating ACL rules.
Attach an ACL to a virtual network adapter
Get the virtual network adapter.
PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM” PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm"
Attach an existing port ACL to the virtual network adapter.
PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess" PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -PortACL $portACL
Note
You can also attach a port ACL while creating the virtual network adapter through New-SCVirtualNetworkAdapter cmdlet. Learn more.
Detach a port ACL from a virtual network adapter
Get the virtual network adapter that you want to detach the port ACL from.
PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM” PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm
Detach the port ACL from the virtual network adapter.
PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -RemovePortACL
Attach an ACL to a VM subnet
Get the VM subnet to attach the ACL.
PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”
Attach an existing port ACL to the VM subnet.
PS C:\> Set-SCVMSubnet -VMSubnet $vmSubnet -PortACL $portACL
Note
You can also attach a port ACL while creating VM subnet through New-SCVMSubnet cmdlet. Learn more.
Detach a port ACL from a VM subnet
Get the VM subnet that you want to detach the port ACL from.
PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”
Detach the port ACL from the VM subnet.
PS C:\> Set-SCVMSubnet –VMSubnet $vmSubnet -RemovePortACL
Remove a port ACL rule
Get the port ACL rule that you want to remove.
PS C:\> $portACLRule = Get-SCPortACLRule –Name “AllowRDPAccess”
Remove the port ACL rule.
PS C:\> Remove-SCPortACLRule -PortACLRule $portACLRule
Remove a port ACL
Get the port ACL that you want to remove.
PS C:\> $portACL = Get-SCPortACL -Name “RDPAccess”
Remove the port ACL.
PS C:\> Remove-SCPortACL -PortACL $portACL
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for