使用 SDN 通訊埠 ACL 允許和封鎖 VM 流量Allow and block VM traffic using SDN port ACLs

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

在 System Center - Virtual Machine Manager (VMM) 中,您可以集中設定和管理軟體定義網路 (SDN) 通訊埠存取控制清單 (ACL)。In System Center Virtual Machine Manager (VMM), you can centrally configure and manage software defined network (SDN) port access control lists (ACLs).

  • 通訊埠 ACL 是一組通訊埠 ACL 規則,可篩選第 2 層通訊埠層級的流量。A port ACL is a set of port ACL rules that filter the traffic at layer 2 port level.
  • VMM 中的通訊埠 ACL 會篩選對特定 VMM 網路物件的存取。A port ACL in VMM filters access to a specific VMM network object.
  • 每個 VMM 網路物件都只能連結一個通訊埠 ACL。Each VMM network object can have only one port ACL attached.
  • ACL 包含規則,而且可以連結至任何數目的 VMM 網路物件。An ACL contains rules, and can be attached to any number of VMM network objects. 您可以建立不含規則的 ACL,並在稍後新增規則。You can create an ACL without rules, and add the rules later.
  • 如果 ACL 有多個規則,則會根據優先順序進行套用。If an ACL has multiple rules, they are applied based on the priority. 規則符合準則且經套用後,便不會處理其他規則。After a rule matches the criteria and is applied, no other rules are processed.
  • SDN 連接埠 ACL 可以套用至虛擬子網路和虛擬網路介面卡。SDN Port ACLs can be applied to virtual subnets and virtual network adapters.

注意

連接埠 ACL 設定只能透過 VMM 中的 PowerShell Cmdlet 公開,而且無法在 VMM 主控台中設定。Port ACL settings are exposed only through PowerShell cmdlets in VMM, and can't be configured in the VMM console.

使用 VMM PowerShell,您也可以設定 Hyper-V 通訊埠 ACL。Using VMM PowerShell, you can also configure Hyper-V port ACLs. 如需詳細資訊,請參閱 Hyper-V 通訊埠 ACLFor more information, see Hyper-v port ACLs.

本文提供如何使用 VMM PowerShell Cmdlet 建立和管理 SDN 通訊埠 ACL 的相關資訊。This article provides information about how to create and manage SDN port ACLs by using the VMM PowerShell cmdlets.

在您開始使用 Intune 之前Before you start

請確定已部署 SDN 網路控制卡Ensure that SDN network controller is deployed.

建立通訊埠 ACLCreate a port ACL

  1. 在 VMM 中開啟 PowerShell。Open PowerShell in VMM.

  2. 建立通訊埠 ACL。Create a port ACL.

    PS C:\> New-SCPortACL -Name "RDPAccess" -Description "PortACL to control RDP access" -ManagedByNC
    

    注意

    -ManagedByNC 參數確保通訊埠 ACL 是透過網路控制卡 (NC) 進行管理,而且只能連接至 NC 受管理物件。The parameter -ManagedByNC ensures that the port ACL is managed by Network Controller (NC) and can only be attached to NC managed objects. 這裡提供的 Cmdlet 會使用範例值。The cmdlets provided here use example values.

建立通訊埠 ACL 規則Create a port ACL rule

  1. 取得現有通訊埠 ACL。Get an existing port ACL.

    PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"
    
  2. 建立通訊埠 ACL 規則。Create a port ACL rule.

    PS C:\> New-SCPortACLRule -Name "AllowRDPAccess" -PortACL $portACL -Description "Allow RDP Rule from a subnet" -Action Allow -Type Inbound -Priority 110 -Protocol Tcp -LocalPortRange 3389 -RemoteAddressPrefix 10.184.20.0/24
    

    注意

    • SDN 通訊埠 ACL 規則的優先順序範圍:1 - 64500。Priority range for SDN port ACL rules: 1 – 64500.
    • 只支援 TCP/UDP/任何通訊協定參數建立 ACL 規則。Only TCP/UDP/Any protocol parameters are supported for creating ACL rules.

將 ACL 連接至虛擬網路介面卡Attach an ACL to a virtual network adapter

  1. 取得虛擬網路介面卡。Get the virtual network adapter.

    PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM”
    PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm"
    
  2. 將現有通訊埠 ACL 連結至虛擬網路介面卡。Attach an existing port ACL to the virtual network adapter.

    PS C:\> $portACL = Get-SCPortACL -Name "RDPAccess"
    PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -PortACL $portACL
    

    注意

    透過 New-SCVirtualNetworkAdapter Cmdlet 建立虛擬網路介面卡時,您也可以連結通訊埠 ACL。You can also attach a port ACL while creating the virtual network adapter through New-SCVirtualNetworkAdapter cmdlet. 進一步瞭解Learn more.

中斷通訊埠 ACL 與虛擬網路介面卡的連結Detach a port ACL from a virtual network adapter

  1. 取得您想要與通訊埠 ACL 中斷連結的虛擬網路介面卡。Get the virtual network adapter that you want to detach the port ACL from.

    PS C:\> $vm = Get-SCVirtualMachine -Name “TenantVM”
    PS C:\> $adapter = Get-SCvirtualNetworkAdapter -VM $vm
    
  2. 中斷通訊埠 ACL 與虛擬網路介面卡的連結。Detach the port ACL from the virtual network adapter.

    PS C:\> Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $adapter -RemovePortACL
    

將 ACL 連結至 VM 子網路Attach an ACL to a VM subnet

  1. 取得要連結 ACL 的 VM 子網路。Get the VM subnet to attach the ACL.

    PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”
    
  2. 將現有通訊埠 ACL 連結至 VM 子網路。Attach an existing port ACL to the VM subnet.

    PS C:\> Set-SCVMSubnet -VMSubnet $vmSubnet -PortACL $portACL
    

    注意

    您也可以透過 New-SCVMSubnet Cmdlet,在建立 VM 子網路時連結通訊埠 ACL。You can also attach a port ACL while creating VM subnet through New-SCVMSubnet cmdlet. 進一步瞭解Learn more.

中斷通訊埠 ACL 與 VM 子網路的連結Detach a port ACL from a VM subnet

  1. 取得您想要與通訊埠 ACL 中斷連結的 VM 子網路。Get the VM subnet that you want to detach the port ACL from.

    PS C:\> $vmSubnet = Get-SCVMSubnet -Name “Tenant Subnet”
    
  2. 中斷通訊埠 ACL 與 VM 子網路的連結。Detach the port ACL from the VM subnet.

    PS C:\> Set-SCVMSubnet –VMSubnet $vmSubnet -RemovePortACL
    

移除通訊埠 ACL 規則Remove a port ACL rule

  1. 取得要移除的通訊埠 ACL 規則。Get the port ACL rule to remove.

    PS C:\> $portACLRule = Get-SCPortACLRule –Name “AllowRDPAccess”
    
  2. 移除通訊埠 ACL 規則。Remove the port ACL rule.

    PS C:\> Remove-SCPortACLRule -PortACLRule $portACLRule
    

移除通訊埠 ACLRemove a port ACL

  1. 取得您想要移除的通訊埠 ACL。Get the Port ACL that you want to remove.

    PS C:\> $portACL = Get-SCPortACL -Name “RDPAccess”
    
  2. 移除通訊埠 ACL。Remove the port ACL.

    PS C:\> Remove-SCPortACL -PortACL $portACL