Allow and block VM traffic using SDN port ACLs

Article
04/24/2023

Important

This version of Virtual Machine Manager (VMM) has reached the end of support. We recommend you to upgrade to VMM 2022.

In System Center Virtual Machine Manager (VMM), you can centrally configure and manage software defined network (SDN) port access control lists (ACLs).

A port ACL is a set of port ACL rules that filter the traffic at layer 2 port level.
A port ACL in VMM filters access to a specific VMM network object.
Each VMM network object can have only one port ACL attached.
An ACL contains rules and can be attached to any number of VMM network objects. You can create an ACL without rules, and add the rules later.
If an ACL has multiple rules, they're applied based on the priority. After a rule matches the criteria and is applied, no other rules are processed.
SDN Port ACLs can be applied to virtual subnets and virtual network adapters.

Note

Port ACL settings are exposed only through PowerShell cmdlets in VMM and can't be configured in the VMM console.

Using VMM PowerShell, you can also configure Hyper-V port ACLs. For more information, see Hyper-V port ACLs.

This article provides information on how to create and manage SDN port ACLs by using the VMM PowerShell cmdlets.

Before you start

Ensure that SDN network controller is deployed.

Create a port ACL

Open PowerShell in VMM.
Create a port ACL.
```
PS C:\> New-SCPortACL -Name "RDPAccess" -Description "PortACL to control RDP access" -ManagedByNC
```
Note

The parameter -ManagedByNC ensures that the port ACL is managed by Network Controller (NC) and can only be attached to NC managed objects. The cmdlets provided here use example values.

Create a port ACL rule

Get an existing port ACL.

PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"

Create a port ACL rule.

PS C:\> New-SCPortACLRule -Name "AllowRDPAccess" -PortACL $portACL -Description "Allow RDP Rule from a subnet" -Action Allow -Type Inbound -Priority 110 -Protocol Tcp -LocalPortRange 3389 -RemoteAddressPrefix 10.184.20.0/24

Note

Priority range for SDN port ACL rules: 1 – 64500.
Only TCP/UDP/Any protocol parameters are supported for creating ACL rules.

Attach an ACL to a virtual network adapter

Get the virtual network adapter.

PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM”
PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm"

Attach an existing port ACL to the virtual network adapter.
```
PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"
PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -PortACL $portACL
```
Note

You can also attach a port ACL while creating the virtual network adapter through New-SCVirtualNetworkAdapter cmdlet. Learn more.

Detach a port ACL from a virtual network adapter

Get the virtual network adapter that you want to detach the port ACL from.

PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM”
PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm

Detach the port ACL from the virtual network adapter.

PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -RemovePortACL

Attach an ACL to a VM subnet

Get the VM subnet to attach the ACL.

PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”

Attach an existing port ACL to the VM subnet.
```
PS C:\> Set-SCVMSubnet -VMSubnet $vmSubnet -PortACL $portACL
```
Note

You can also attach a port ACL while creating VM subnet through New-SCVMSubnet cmdlet. Learn more.

Detach a port ACL from a VM subnet

Get the VM subnet that you want to detach the port ACL from.

PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”

Detach the port ACL from the VM subnet.

PS C:\> Set-SCVMSubnet –VMSubnet $vmSubnet -RemovePortACL

Remove a port ACL rule

Get the port ACL rule that you want to remove.

PS C:\> $portACLRule = Get-SCPortACLRule –Name “AllowRDPAccess”

Remove the port ACL rule.

PS C:\> Remove-SCPortACLRule -PortACLRule $portACLRule

Remove a port ACL

Get the port ACL that you want to remove.

PS C:\> $portACL = Get-SCPortACL -Name “RDPAccess”

Remove the port ACL.

PS C:\> Remove-SCPortACL -PortACL $portACL