Using Port ACLs in Hyper-V 2012


recently, I had an issue where it was needed to carefully control which machines can talk to each other by using a feature in Server 2012: Port Access Contol Lists (ACLs)

The feature is described in but might require more explanation. You can use the ACLs on MacAddresses or IPAddresses and additionaly specify Local or Remote. This should be considered Local or Remote from the VMs perspective. So the example in the above link actually disables all MacAddresses but only allows one local Mac inside the VM (and it is missing one Byte)

Let me give you another example, that limits the IP traffic to only one other machines.

W12testvm1 has IP and it should only communicate with W12testvm2 which has IP
The PS commands are issued on the host running w12testvm1

1. „Block all IPs outgoing from w12testvm1“
add-VMNetworkAdapterAcl  -VMName w12testvm1 -LocalIPAddress any -Direction Both -Action deny

2. „Allow the IP of w12testvm1 to be sent and received“
  add-VMNetworkAdapterAcl  -VMName w12testvm1 -LocalIPAddress -Direction Both -Action allow

3. „Block all IPs incoming to w12testvm1 “
add-VMNetworkAdapterAcl  -VMName w12testvm1 -RemoteIPAddress any -Direction Both -Action deny

4. „Allow only the IP of w12testvm2 incomming“
add-VMNetworkAdapterAcl  -VMName w12testvm1 -RemoteIPAddress -Direction Both -Action allow

 To now query the current setting use

PS C:\Windows\system32> Get-VMNetworkAdapterAcl -VMName w12testvm1

VMName: w12testvm1

Direction    Address                                                  Action           
---------        -------                                                      ------           
Inbound      Local                                   Allow            
Inbound      Local                                      Deny             
Inbound      Local  ::/0                                               Deny             
Inbound      Remote ::/0                                            Deny             
Inbound      Remote                                Allow            
Inbound      Remote                                   Deny             
Outbound     Local  ::/0                                             Deny             
Outbound     Local                                 Allow            
Outbound     Local                                    Deny             
Outbound     Remote ::/0                                          Deny             
Outbound     Remote                                 Deny             
Outbound     Remote                              Allow

Hope you find this usefull


Comments (0)

Skip to main content