Hyper-V virtual machine networks have a reputation for being somewhat simplistic. After all, objects such as virtual switches can be created with just a few clicks and require minimal maintenance. Even so, there is more to Hyper-V virtual networking than meets the eye. If you are running Windows Server 2012 R2 or later and System Center Virtual Machine Manager (VMM), you can enhance the security of your virtual network by creating a series of port ACLs. These port ACLs can be used to restrict communications across virtual networks. For example, you might use a port ACL to prevent a VM from being able to communicate with another VM.
Port ACLs are designed to work at layer 2 of the networking stack. For those who need a bit of a refresher, there are seven layers defined by the OSI model. These layers include:
- Application layer (Layer 7)
- Presentation layer (Layer 6)
- Session layer (Layer 5)
- Transport layer (Layer 4)
- Network layer (Layer 3)
- Data link layer (Layer 2)
- Physical layer (Layer 1)
So as previously noted, port ACLs work at layer 2, which is the data link layer and uses rules to control access to various VMM objects. These ACLs can be applied to virtual subnets, network adapters, VM networks, and even the VMM server itself, so long as those objects are not managed by a network controller. If network controller management is being used, then port ACLs can be applied to virtual subnets and adapters.
Unfortunately, port ACLs can only be managed through the Virtual Machine Manager management shell. They are not exposed through the management console. Even so, the commands used to create and configure port ACLs are relatively straightforward.
Creating a Port ACL
When you create a port ACL, it does not initially do anything. You have to add rules to the port ACL before it will be able to restrict communications on your virtual network. Therefore, when you create a port ACL, you are just creating a named object. Not surprisingly, this is easy to do.
Creating a port ACL is done by way of the New-SCPortACL cmdlet. The only parameter that is required when creating a port ACL is a name. Here is an example of a command used to create a new port ACL.
New-SCPortACL -Name <ACL name>
Incidentally, if you want to see the port ACLs that exist on your system, you can do so by using the Get-SCPortACL cmdlet. You can see an example of both commands in the screenshot below.
Once you have created a new port ACL, you can begin adding rules to the ACL. Before I show you how to do this, I need to take a moment and discuss the hierarchical structures involved. As I have already explained, a port ACL is essentially just a named object. This object can store a collection of rules. As you have already seen, it is possible for a port ACL to not have any rules associated with it, but a port ACL will normally include at least one rule.
If a port ACL has more than one rule associated with it, then the rules are applied based on priority. When you create a rule, you will typically associate a numerical priority with the rule, and this priority is used to determine which rules take precedence in the event of a rule conflict.
When you have created a port ACL and a collection of rules, that port ACL is then assigned to one or more VMM objects. It is worth noting that a network object can only have a single port ACL associated with it.
So, with that said, let’s take a look at how to create a rule. Port ACL rules work in essentially the same way as a firewall rule. Therefore, when you create a port ACL rule, there are some specific pieces of information that you will need to include. Typically you will need to specify the port ACL that the rule should be associated with, the port number that the rule should apply to, whether the rule should apply to inbound or outbound traffic, the protocol that the rule should apply to (TCP / UDP), and whether the rule should block or allow access to the port. The cmdlet used to create a new rule is New-SCPortACLRule.
For the sake of demonstration, let’s suppose that we want to add a rule to the Example port ACL that I created a moment ago and that this new rule should block inbound traffic on TCP port 80. In other words, the rule blocks inbound HTTP traffic. Here is what the required commands would look like:
$ACL=Get-SCPortACL -Name Example New-SCPortACLRule -PortACL $ACL -Name <rule name> -Action Deny -Type Inbound -Protocol TCP -LocalPortRange 80 -Priority 101
In the screenshot below, I mapped my port ACL to a variable called $MyACL. The screenshot shows the command that I used to create the new rule.
Attaching the port ACL
The procedure used for attaching a port ACL to an object varies widely depending on the type of object that you are attaching the port ACL to. Many of VMM’s Set cmdlets support a parameter called PortACL, which allows you to specify the port ACL that you wish to use. A few examples of such cmdlets include Set-SCVMMServer, Set-SCVMNetwork, and Set0SCVMSubnet. Some of VMM’s New cmdlets, such as New-ScVmSubnet, also support this parameter. You can find the full documentation here.
Port ACLs for better security
While no rule says that you have to make use of port ACLs, doing so can help you to better secure your virtual networks. By doing so, you can restrict objects so that they are only able to communicate with the VMs and other objects that you have specifically authorized. If you are interested in learning more, then Microsoft provides a nice demo video here.
Featured image: Pixabay