Configure datacenter firewall Access Control Lists (ACLs)

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

Once you've created an ACL and assigned it to a virtual subnet, you might want to override that default ACL on the virtual subnet with a specific ACL for an individual network interface. In this case, you apply specific ACLs directly to network interfaces attached to VLANs, instead of the virtual network. If you have ACLs set on the virtual subnet connected to the network interface, both ACLs are applied and prioritizes the network interface ACLs above the virtual subnet ACLs.

Important

If you have not created an ACL and assigned it to a virtual network, see Use Access Control Lists (ACLs) to Manage Datacenter Network Traffic Flow to create an ACL and assign it to a virtual subnet.

In this topic, we show you how to add an ACL to a network interface. We also show you how to remove an ACL from a network interface using Windows PowerShell and the Network Controller REST API.

Example: Add an ACL to a network interface

In this example, we demonstrates how to add an ACL to a virtual network.

Tip

It is also possible to add an ACL at the same time that you create the network interface.

  1. Get or create the network interface to which you will add the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. Get or create the ACL you will add to the network interface.

    $acl = get-networkcontrolleraccesscontrollist -ConnectionUri $uri -resourceid "AllowAllACL"
    
  3. Assign the ACL to the AccessControlList property of the network interface

     $nic.properties.ipconfigurations[0].properties.AccessControlList = $acl
    
  4. Add the network interface in Network Controller

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
    

Example: Remove an ACL from a network interface by using Windows Powershell and the Network Controller REST API

In this example, we show you how to remove an ACL. Removing an ACL applies the default set of rules to the network interface. The default set of rules allows all outbound traffic but blocks all inbound traffic.

Note

If you want to allow all inbound traffic, you must follow the previous example to add an ACL that allows all inbound and all outbound traffic.

  1. Get the network interface from which you will remove the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. Assign $NULL to the AccessControlList property of the ipConfiguration.

    $nic.properties.ipconfigurations[0].properties.AccessControlList = $null
    
  3. Add the network interface object in Network Controller.

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid