用於管理 Datacenter 網路流量存取控制清單 (Acl)Use Access Control Lists (ACLs) to Manage Datacenter Network Traffic Flow

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何設定來管理使用 Datacenter 防火牆和 Acl virtual 子網路上的資料流量存取控制清單。You can use this topic to learn how to configure access control lists to manage data traffic flow using Datacenter Firewall and ACLs on virtual subnets.

您可以讓和 Datacenter 防火牆設定來建立套用到 virtual 子網路或網路介面 Acl。You can enable and configure Datacenter Firewall by creating ACLs that are applied to a virtual subnet or a network interface.

下列範例示範如何使用 Windows PowerShell 來建立這些 Acl。The following examples demonstrate how to use Windows PowerShell to create these ACLs.

設定資料中心防火牆允許所有的資料傳輸Configure Datacenter Firewall to Allow All Traffic

之後部署 SDN,建議您新增環境中,測試基本網路連接。After deploying SDN, it is recommended that you test basic network connectivity in your new environment.

若要完成此動作,您可以建立規則 Datacenter 防火牆,可讓所有的網路流量無限制。To accomplish this, you can create a rule for Datacenter Firewall that allows all network traffic, without restriction.

您可以使用下表中的項目建立規則允許所有輸入 / 輸出網路流量的一組。You can use the entries in the following table to create a set of rules that allow all inbound and outbound network traffic.

來源 IPSource IP 目的地 IPDestination IP 通訊協定Protocol 來源連接埠Source Port 目的地連接埠Destination Port 方向Direction 控制項目Action 高優先順序Priority
* * 所有All * * 輸入Inbound 允許Allow 100100
* * 所有All * * 輸出Outbound 允許Allow 110110

此範例指令碼建立包含兩規則 ACL:This example script creates an ACL that contains two rules:

  • 第一個規則 」 AllowAll_Inbound 」 可讓所有的網路流量傳遞到網路介面已此 ACL。The first rule "AllowAll_Inbound" allows all network traffic to pass into the network interface where this ACL is configured.
  • 第二個規則,「 AllowAllOutbound 」 可讓所有流量通過退出的網路介面。The second rule, "AllowAllOutbound" allows all traffic to pass out of the network interface.
    由資源 id 「 「 全部允許 」 1 」,此 ACL 現在已準備好 virtual 子網路和網路介面中使用。This ACL, identified by the resource id "AllowAll-1" is now ready to be used in virtual subnets and network interfaces.

下列範例指令碼使用 Windows PowerShell 命令匯出從NetworkController來建立此 ACL 模組。The following example script uses Windows PowerShell commands exported from the NetworkController module to create this ACL.

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "100"  
$ruleproperties.Type = "Inbound"  
$ruleproperties.Logging = "Enabled"  
$aclrule1 = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule1.Properties = $ruleproperties  
$aclrule1.ResourceId = "AllowAll_Inbound"  
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "110"  
$ruleproperties.Type = "Outbound"  
$ruleproperties.Logging = "Enabled"  
$aclrule2 = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule2.Properties = $ruleproperties  
$aclrule2.ResourceId = "AllowAll_Outbound"  
$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties  
$acllistproperties.AclRules = @($aclrule1, $aclrule2)  
New-NetworkControllerAccessControlList -ResourceId "AllowAll" -Properties $acllistproperties -ConnectionUri <NC REST FQDN>  

注意

Network Controller 的 Windows PowerShell 命令參照位於主題中的網路控制器 CmdletThe Windows PowerShell command reference for Network Controller is located in the topic Network Controller Cmdlets.

使用 Acl 限制子網路流量Use ACLs to Limit Traffic on a Subnet

您可以使用此範例中建立 ACL,以避免虛擬電腦 (Vm),從互相通訊 192.168.0.0/24 子網路中。You can use this example to create an ACL that prevents virtual machines (VMs) within the 192.168.0.0/24 subnet from communicating with each other.

這種類型的 ACL 適合用於限制的攻擊但仍然允許 Vm 收到來自要求以外子網路,以及與其他子網路上的其他服務通訊橫向分散子網路中的功能。This type of ACL is useful for limiting the ability of an attacker to spread laterally within the subnet, while still allowing the VMs to receive requests from outside of the subnet, as well as to communicate with other services on other subnets.

來源 IPSource IP 目的地 IPDestination IP 通訊協定Protocol 來源連接埠Source Port 目的地連接埠Destination Port 方向Direction 控制項目Action 高優先順序Priority
192.168.0.1192.168.0.1 * 所有All * * 輸入Inbound 允許Allow 100100
* 192.168.0.1192.168.0.1 所有All * * 輸出Outbound 允許Allow 101101
192.168.0.0/24192.168.0.0/24 * 所有All * * 輸入Inbound 封鎖Block 102102
* 192.168.0.0/24192.168.0.0/24 所有All * * 輸出Outbound 封鎖Block 103103
* * 所有All * * 輸入Inbound 允許Allow 104104
* * 所有All * * 輸出Outbound 允許Allow 105105

ACL 建立以下的範例指令碼由的資源 id子網路-192-168-0-0,現在可套用至子 virtual 網路使用 「 192.168.0.0/24 [子網路位址。The ACL created by the example script below, identified by the resource id Subnet-192-168-0-0, can now be applied to a virtual network subnet that uses the "192.168.0.0/24" subnet address. 會自動附加至該 virtual 網路子網路的任何網路介面取得套用上述 ACL 規則。Any network interface that is attached to that virtual network subnet automatically gets the above ACL rules applied.

以下是使用 Windows Powershell 命令來建立使用網路控制器 REST API 此 ACL 範例指令碼:The following is an example script using Windows Powershell commands to create this ACL using the Network Controller REST API:

import-module networkcontroller  
$ncURI = "https://mync.contoso.local"  
$aclrules = @()  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "192.168.0.1"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "100"  
$ruleproperties.Type = "Inbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "AllowRouter_Inbound"  
$aclrules += $aclrule  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "192.168.0.1"  
$ruleproperties.Priority = "101"  
$ruleproperties.Type = "Outbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "AllowRouter_Outbound"  
$aclrules += $aclrule  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Deny"  
$ruleproperties.SourceAddressPrefix = "192.168.0.0/24"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "102"  
$ruleproperties.Type = "Inbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "DenySubnet_Inbound"  
$aclrules += $aclrule  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Deny"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "192.168.0.0/24"  
$ruleproperties.Priority = "103"  
$ruleproperties.Type = "Outbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "DenySubnet_Outbound"  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "104"  
$ruleproperties.Type = "Inbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "AllowAll_Inbound"  
$aclrules += $aclrule  

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties  
$ruleproperties.Protocol = "All"  
$ruleproperties.SourcePortRange = "0-65535"  
$ruleproperties.DestinationPortRange = "0-65535"  
$ruleproperties.Action = "Allow"  
$ruleproperties.SourceAddressPrefix = "*"  
$ruleproperties.DestinationAddressPrefix = "*"  
$ruleproperties.Priority = "105"  
$ruleproperties.Type = "Outbound"  
$ruleproperties.Logging = "Enabled"  

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule  
$aclrule.Properties = $ruleproperties  
$aclrule.ResourceId = "AllowAll_Outbound"  
$aclrules += $aclrule  

$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties  
$acllistproperties.AclRules = $aclrules  

New-NetworkControllerAccessControlList -ResourceId "Subnet-192-168-0-0" -Properties $acllistproperties -ConnectionUri $ncURI