Using Port ACLs in Hyper-V 2012
Hi,
recently, I had an issue where it was needed to carefully control which machines can talk to each other by using a feature in Server 2012: Port Access Contol Lists (ACLs)
The feature is described in https://technet.microsoft.com/en-us/library/jj679878.aspx but might require more explanation. You can use the ACLs on MacAddresses or IPAddresses and additionaly specify Local or Remote. This should be considered Local or Remote from the VMs perspective. So the example in the above link actually disables all MacAddresses but only allows one local Mac inside the VM (and it is missing one Byte)
Let me give you another example, that limits the IP traffic to only one other machines.
W12testvm1 has IP 10.0.0.131 and it should only communicate with W12testvm2 which has IP 10.0.0.160
The PS commands are issued on the host running w12testvm1
1. „Block all IPs outgoing from w12testvm1“
add-VMNetworkAdapterAcl -VMName w12testvm1 -LocalIPAddress any -Direction Both -Action deny
2. „Allow the IP of w12testvm1 to be sent and received“
add-VMNetworkAdapterAcl -VMName w12testvm1 -LocalIPAddress 10.0.0.131 -Direction Both -Action allow
3. „Block all IPs incoming to w12testvm1 “
add-VMNetworkAdapterAcl -VMName w12testvm1 -RemoteIPAddress any -Direction Both -Action deny
4. „Allow only the IP of w12testvm2 incomming“
add-VMNetworkAdapterAcl -VMName w12testvm1 -RemoteIPAddress 10.0.0.160 -Direction Both -Action allow
To now query the current setting use
PS C:\Windows\system32> Get-VMNetworkAdapterAcl -VMName w12testvm1
VMName: w12testvm1
Direction Address Action
--------- ------- ------
Inbound Local 10.0.0.131 Allow
Inbound Local 0.0.0.0/0 Deny
Inbound Local ::/0 Deny
Inbound Remote ::/0 Deny
Inbound Remote 10.0.0.160 Allow
Inbound Remote 0.0.0.0/0 Deny
Outbound Local ::/0 Deny
Outbound Local 10.0.0.131 Allow
Outbound Local 0.0.0.0/0 Deny
Outbound Remote ::/0 Deny
Outbound Remote 0.0.0.0/0 Deny
Outbound Remote 10.0.0.160 Allow
Hope you find this usefull
Cheers
Robert