Usar o Firewall do datacenter para Software-Defined rede no Azure Stack HCIUse Datacenter Firewall for Software-Defined Networking in Azure Stack HCI

Aplica-se a: Azure Stack HCI, versão 20H2; Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

Este tópico fornece instruções para configurar listas de controle de acesso (ACLs) para gerenciar o fluxo de tráfego de dados usando o Firewall do datacenter para Sdn (rede definida pelo software) no Azure Stack HCI usando o Windows PowerShell.This topic provides instructions for configuring access control lists (ACLs) to manage data traffic flow using Datacenter Firewall for Software Defined Networking (SDN) in Azure Stack HCI using Windows PowerShell. Você habilita e configura o Firewall do datacenter criando ACLs que são aplicadas a uma sub-rede ou a uma interface de rede.You enable and configure Datacenter Firewall by creating ACLs that get applied to a subnet or a network interface. Os scripts de exemplo neste tópico usam comandos do Windows PowerShell exportados do módulo NetworkController .The example scripts in this topic use Windows PowerShell commands exported from the NetworkController module. Você também pode usar o centro de administração do Windows para configurar e gerenciar ACLs.You can also use Windows Admin Center to configure and manage ACLs.

Configurar o Firewall do datacenter para permitir todo o tráfegoConfigure Datacenter Firewall to allow all traffic

Depois de implantar o SDN, você deve testar a conectividade de rede básica em seu novo ambiente.Once you deploy SDN, you should test for basic network connectivity in your new environment. Para fazer isso, crie uma regra para o Firewall do datacenter que permite todo o tráfego de rede, sem restrição.To accomplish this, create a rule for Datacenter Firewall that allows all network traffic, without restriction.

Use as entradas na tabela a seguir para criar um conjunto de regras que permitem todo o tráfego de rede de entrada e saída.Use the entries in the following table to create a set of rules that allow all inbound and outbound network traffic.

IP de origemSource IP IP de destinoDestination IP ProtocoloProtocol Porta de origemSource Port Porta de destinoDestination Port DireçãoDirection AçãoAction PrioridadePriority
* * TodosAll * * EntradaInbound AllowAllow 100100
* * TodosAll * * SaídaOutbound AllowAllow 110110

Neste exemplo, você cria uma ACL com duas regras:In this example, you create an ACL with two rules:

  1. AllowAll_Inbound – permite que todo o tráfego de rede passe para o adaptador de rede em que essa ACL está configurada.AllowAll_Inbound - allows all network traffic to pass into the network interface where this ACL is configured.
  2. AllowAllOutbound – permite que todo o tráfego seja transmitido da interface de rede.AllowAllOutbound - allows all traffic to pass out of the network interface. Essa ACL, identificada pela ID de recurso "AllowAll-1", agora está pronta para ser usada em sub-redes virtuais e interfaces de rede.This ACL, identified by the resource ID "AllowAll-1" is now ready to be used in virtual subnets and network interfaces.

Primeiro, conecte-se a um dos nós de cluster abrindo uma sessão do PowerShell:First, connect to one of the cluster nodes by opening a PowerShell session:

Enter-PSSession <server-name>

Em seguida, execute o script a seguir para criar a ACL:Then, run the following script to create the ACL:

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule1 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule1.Properties = $ruleproperties
$aclrule1.ResourceId = "AllowAll_Inbound"
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "110"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule2 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule2.Properties = $ruleproperties
$aclrule2.ResourceId = "AllowAll_Outbound"
$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = @($aclrule1, $aclrule2)
New-NetworkControllerAccessControlList -ResourceId "AllowAll" -Properties $acllistproperties -ConnectionUri <NC REST FQDN>

Observação

A referência de comando do Windows PowerShell para o controlador de rede está localizada no tópico cmdlets do controlador de rede.The Windows PowerShell command reference for Network Controller is located in the topic Network Controller cmdlets.

Usar ACLs para limitar o tráfego em uma sub-redeUse ACLs to limit traffic on a subnet

Neste exemplo, você cria uma ACL que impede que máquinas virtuais (VMs) na sub-rede 192.168.0.0/24 se comuniquem entre si.In this example, you create an ACL that prevents virtual machines (VMs) within the 192.168.0.0/24 subnet from communicating with each other. Esse tipo de ACL é útil para limitar a capacidade de um invasor se espalhar de forma mais tarde dentro da sub-rede, enquanto ainda permite que as VMs recebam solicitações de fora da sub-rede, bem como se comuniquem com outros serviços em outras sub-redes.This type of ACL is useful for limiting the ability of an attacker to spread laterally within the subnet, while still allowing the VMs to receive requests from outside of the subnet, as well as to communicate with other services on other subnets.

IP de origemSource IP IP de destinoDestination IP ProtocoloProtocol Porta de origemSource Port Porta de destinoDestination Port DireçãoDirection AçãoAction PrioridadePriority
192.168.0.1192.168.0.1 * TodosAll * * EntradaInbound AllowAllow 100100
* 192.168.0.1192.168.0.1 TodosAll * * SaídaOutbound AllowAllow 101101
192.168.0.0/24192.168.0.0/24 * TodosAll * * EntradaInbound BloquearBlock 102102
* 192.168.0.0/24192.168.0.0/24 TodosAll * * SaídaOutbound BloquearBlock 103103
* * TodosAll * * EntradaInbound AllowAllow 104104
* * TodosAll * * SaídaOutbound AllowAllow 105105

A ACL criada pelo script de exemplo abaixo, identificada pela ID de recurso subnet-192-168-0-0, agora pode ser aplicada a uma sub-rede de rede virtual que usa o endereço de sub-rede "192.168.0.0/24".The ACL created by the example script below, identified by the resource ID Subnet-192-168-0-0, can now be applied to a virtual network subnet that uses the "192.168.0.0/24" subnet address. Qualquer interface de rede que é anexada a essa sub-rede de rede virtual automaticamente Obtém as regras de ACL acima aplicadas.Any network interface that is attached to that virtual network subnet automatically gets the above ACL rules applied.

Veja a seguir um script de exemplo para criar essa ACL usando a API REST do controlador de rede:The following is an example script to create this ACL using the Network Controller REST API:

import-module networkcontroller
$ncURI = "https://mync.contoso.local"
$aclrules = @()

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "192.168.0.1"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.1"
$ruleproperties.Priority = "101"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Outbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "192.168.0.0/24"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "102"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.0/24"
$ruleproperties.Priority = "103"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Outbound"

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "104"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "105"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Outbound"
$aclrules += $aclrule

$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = $aclrules

New-NetworkControllerAccessControlList -ResourceId "Subnet-192-168-0-0" -Properties $acllistproperties -ConnectionUri $ncURI

Adicionar uma ACL a uma interface de redeAdd an ACL to a network interface

Depois de criar uma ACL e atribuí-la a uma sub-rede virtual, talvez você queira substituir essa ACL padrão na sub-rede virtual por uma ACL específica para uma interface de rede individual.Once you've created an ACL and assigned it to a virtual subnet, you might want to override that default ACL on the virtual subnet with a specific ACL for an individual network interface. Nesse caso, você aplica ACLs específicas diretamente às interfaces de rede anexadas a VLANs, em vez da rede virtual.In this case, you apply specific ACLs directly to network interfaces attached to VLANs, instead of the virtual network. Se você tiver ACLs definidas na sub-rede virtual conectada à interface de rede, ambas as ACLs serão aplicadas e priorizará as ACLs de interface de rede acima das ACLs de sub-rede virtual.If you have ACLs set on the virtual subnet connected to the network interface, both ACLs are applied and prioritizes the network interface ACLs above the virtual subnet ACLs.

Neste exemplo, demonstramos como adicionar uma ACL a uma rede virtual.In this example, we demonstrate how to add an ACL to a virtual network.

Dica

Também é possível adicionar uma ACL ao mesmo tempo em que você cria a interface de rede.It is also possible to add an ACL at the same time that you create the network interface.

  1. Obtenha ou crie a interface de rede à qual você adicionará a ACL.Get or create the network interface to which you will add the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. Obtenha ou crie a ACL que você adicionará à interface de rede.Get or create the ACL you will add to the network interface.

    $acl = get-networkcontrolleraccesscontrollist -ConnectionUri $uri -ResourceId "AllowAllACL"
    
  3. Atribua a ACL à propriedade AccessControllist da interface de rede.Assign the ACL to the AccessControlList property of the network interface.

     $nic.properties.ipconfigurations[0].properties.AccessControlList = $acl
    
  4. Adicione a interface de rede no controlador de rede.Add the network interface in Network Controller.

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
    

Remover uma ACL de uma interface de redeRemove an ACL from a network interface

Neste exemplo, mostramos como remover uma ACL de uma interface de rede.In this example, we show you how to remove an ACL from a network interface. A remoção de uma ACL aplica o conjunto de regras padrão à interface de rede.Removing an ACL applies the default set of rules to the network interface. O conjunto padrão de regras permite todo o tráfego de saída, mas bloqueia todo o tráfego de entrada.The default set of rules allows all outbound traffic but blocks all inbound traffic. Se você quiser permitir todo o tráfego de entrada, deverá seguir o exemplo anterior para adicionar uma ACL que permite todos os tráfegos de entrada e de saída.If you want to allow all inbound traffic, you must follow the previous example to add an ACL that allows all inbound and all outbound traffic.

  1. Obtenha a interface de rede da qual você removerá a ACL.Get the network interface from which you will remove the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. Atribua $null à propriedade AccessControllist da ipConfiguration.Assign $null to the AccessControlList property of the ipConfiguration.

    $nic.properties.ipconfigurations[0].properties.AccessControlList = $null
    
  3. Adicione o objeto de interface de rede no controlador de rede.Add the network interface object in Network Controller.

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
    

Auditoria de firewallFirewall auditing

A auditoria de firewall é um novo recurso para o firewall de datacenter que registra qualquer fluxo processado por regras de firewall do SDN.Firewall auditing is a new capability for the Datacenter Firewall that records any flow processed by SDN firewall rules. Todas as ACLs que têm o registro em log habilitado são registradas.All ACLs that have logging enabled are recorded. Os arquivos de log devem estar em uma sintaxe consistente com os logs de fluxo do observador de rede do Azure.The log files must be in a syntax that is consistent with the Azure Network Watcher flow logs. Esses logs podem ser usados para diagnósticos ou arquivados para análise posterior.These logs can be used for diagnostics or archived for later analysis.

Aqui está um script de exemplo para habilitar a auditoria de firewall nos servidores host.Here is a sample script to enable firewall auditing on the host servers. Atualize as variáveis no início e execute-as em um cluster Azure Stack HCI com o controlador de rede implantado:Update the variables at the beginning and run this on an Azure Stack HCI cluster with Network Controller deployed:

$logpath = "C:\test\log1"
$servers = @("sa18n22-2", "sa18n22-3", "sa18n22-4")
$uri = "https://sa18n22sdn.sa18.nttest.microsoft.com"

# Create log directories on the hosts
invoke-command -Computername $servers  {
    param(
        $Path
    )
    mkdir $path    -force
} -argumentlist $LogPath

# Set firewall auditing settings on Network Controller
$AuditProperties = new-object Microsoft.Windows.NetworkController.AuditingSettingsProperties
$AuditProperties.OutputDirectory = $logpath
set-networkcontrollerauditingsettingsconfiguration -connectionuri $uri -properties $AuditProperties -force  | out-null

# Enable logging on each server
$servers = get-networkcontrollerserver -connectionuri $uri
foreach ($s in $servers) {
    $s.properties.AuditingEnabled = @("Firewall")
    new-networkcontrollerserver -connectionuri $uri -resourceid $s.resourceid -properties $s.properties -force | out-null
}

Uma vez habilitado, um novo arquivo aparece no diretório especificado em cada host aproximadamente uma vez por hora.Once enabled, a new file appears in the specified directory on each host about once per hour. Você deve processar esses arquivos periodicamente e removê-los dos hosts.You should periodically process these files and remove them from the hosts. O arquivo atual tem comprimento zero e está bloqueado até ser liberado na próxima marca de hora:The current file has zero length and is locked until flushed at the next hour mark:

PS C:\test\log1> dir

    Directory: C:\test\log1

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/19/2018   6:28 AM          17055 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL122803093.json
-a----        7/19/2018   7:28 AM           7880 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL132803173.json
-a----        7/19/2018   8:28 AM           7867 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL142803264.json
-a----        7/19/2018   9:28 AM          10949 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL152803360.json
-a----        7/19/2018   9:28 AM              0 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL162803464.json

Esses arquivos contêm uma sequência de eventos de fluxo, por exemplo:These files contain a sequence of flow events, for example:

{
    "records": [
        {
            "properties":{
                "Version":"1.0",
                "flows":[
                    {
                        "flows":[
                            {
                                "flowTuples":["1531963580,192.122.0.22,192.122.255.255,138,138,U,I,A"],
                                "portId":"9",
                                "portName":"7290436D-0422-498A-8EB8-C6CF5115DACE"
                            }
                        ],
                        "rule":"Allow_Inbound"
                    }
                ]
            },
            "operationName":"NetworkSecurityGroupFlowEvents",
            "resourceId":"394f647d-2ed0-4c31-87c5-389b8c0c8132",
            "time":"20180719:L012620622",
            "category":"NetworkSecurityGroupFlowEvent",
            "systemId":"d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a"
            },

Observe que o registro em log ocorre apenas para as regras que têm o log definido como habilitado, por exemplo:Note, logging takes place only for rules that have Logging set to Enabled, for example:

{
    "Tags":  null,
    "ResourceRef":  "/accessControlLists/AllowAll",
    "InstanceId":  "4a63e1a5-3264-4986-9a59-4e77a8b107fa",
    "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
    "ResourceMetadata":  null,
    "ResourceId":  "AllowAll",
    "Properties":  {
                       "ConfigurationState":  null,
                       "ProvisioningState":  "Succeeded",
                       "AclRules":  [
                                        {
                                            "ResourceMetadata":  null,
                                            "ResourceRef":  "/accessControlLists/AllowAll/aclRules/AllowAll_Inbound",
                                            "InstanceId":  "ba8710a8-0f01-422b-9038-d1f2390645d7",
                                            "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
                                            "ResourceId":  "AllowAll_Inbound",
                                            "Properties":  {
                                                               "Protocol":  "All",
                                                               "SourcePortRange":  "0-65535",
                                                               "DestinationPortRange":  "0-65535",
                                                               "Action":  "Allow",
                                                               "SourceAddressPrefix":  "*",
                                                               "DestinationAddressPrefix":  "*",
                                                               "Priority":  "101",
                                                               "Description":  null,
                                                               "Type":  "Inbound",
                                                               "Logging":  "Enabled",
                                                               "ProvisioningState":  "Succeeded"
                                                           }
                                        },
                                        {
                                            "ResourceMetadata":  null,
                                            "ResourceRef":  "/accessControlLists/AllowAll/aclRules/AllowAll_Outbound",
                                            "InstanceId":  "068264c6-2186-4dbc-bbe7-f504c6f47fa8",
                                            "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
                                            "ResourceId":  "AllowAll_Outbound",
                                            "Properties":  {
                                                               "Protocol":  "All",
                                                               "SourcePortRange":  "0-65535",
                                                               "DestinationPortRange":  "0-65535",
                                                               "Action":  "Allow",
                                                               "SourceAddressPrefix":  "*",
                                                               "DestinationAddressPrefix":  "*",
                                                               "Priority":  "110",
                                                               "Description":  null,
                                                               "Type":  "Outbound",
                                                               "Logging":  "Enabled",
                                                               "ProvisioningState":  "Succeeded"
                                                           }
                                        }
                                    ],
                       "IpConfigurations":  [

                                            ],
                       "Subnets":  [
                                       {
                                           "ResourceMetadata":  null,
                                           "ResourceRef":  "/virtualNetworks/10_0_1_0/subnets/Subnet1",
                                           "InstanceId":  "00000000-0000-0000-0000-000000000000",
                                           "Etag":  null,
                                           "ResourceId":  null,
                                           "Properties":  null
                                       }
                                   ]
                   }
}

Próximas etapasNext steps

Para obter informações relacionadas, consulte também:For related information, see also: