You dont have javascript enabled! Please enable it! Step By Step: How To Deploy #Hyper-V Extended Port ACLs In System Center Virtual Machine Manager #SCVMM - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM

6 Min. Read

Hello folks,

Your feedback is very important to the VMM team. Microsoft is listening to you. The requested features on the user’s voice for Virtual Machine Manager (VMM) are now available, deploying extended Hyper-V Port ACLs and support for Storage Spaces Tiering.

For the complete list of features that are included in Update Rollup 8, please check here. As you already know that deploying extended Port ACLs and Storage Spaces tiering in VMM was not possible.

The good news is, the Virtual Machine Manager (VMM) team has announced support to deploy extended Hyper-V Port ACLs and Storage Spaces Tiering in VMM 2012 R2 Update Rollup 8.

In today’s blog post, we will show you how to deploy and validate Hyper-V extended Port ACLs, and in the next post, we will walk you through how to deploy Storage Spaces Tiering in SCVMM.

For more information about Extended Port ACLs and how to deploy them natively in Hyper-V, please make sure to check my earlier post: Hyper-V Virtual Switch Extended Port ACLs in action.

After you install and verify Update Rollup 8 for Virtual Machine Manager, you can move to the below section:

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 1

Hyper-V Extended Port ACLs in SCVMM

With the introduction of the VMM 2012 R2 UR8 update, administrators can now centrally create and manage port ACLs for their Tenant’s VMs.

What you can do with this Feature:

  • Define ACLs & their ACL Rules.
  • Attach the ACLs created to VM Networks, Subnets, or Virtual Network Adapters.
  • Attach the ACL to a Global ACL for all Virtual Network Adapters.
  • Verify ACL and ACL Rules.
  • View & Update ACL Rules configured on the vNIC.
  • Delete ACL Rules.

Each of these actions is covered in more detail below. Please note that this functionality is only exposed through PowerShell at the moment and will not reflect in the VMM Console UI. Please vote on the user’s voice if you want to manage Port ACLs in the VMM Console as well.

Defining new ACL & their Rules

You can now create ACLs & their ACL rules directly from within VMM using PowerShell. The PowerShell module for Virtual Machine Manager has been expanded with 8 new cmdlets.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 2

The PowerShell cmdlet to create a New ACL is the following:

New-SCPortACL –Name <string> [–Description <string>] followed by name and description for the ACL. To define the ACL rules, you need to use New-SCPortACLRule

New-SCPortACLRule -PortACL <PortACL> -Name <string> -Action <Allow | Deny> -Type <Inbound | Outbound> -Priority <uint16> -Protocol <Tcp | Udp | Any> [-SourceAddressPrefix <string: IPAddress | IPSubnet>] [-SourcePortRange <string:X|X-Y|Any>] [-DestinationAddressPrefix <string: IPAddress | IPSubnet>] [-DestinationPortRange <string:X|X-Y|Any>] [-Description <string>]

In this article, I will create a new ACL rule to allow HTTP traffic from all subnets, then limit RDP traffic only to a specific IP Subnet, and deny all other traffic.

New-SCPortACL –VMMServer SCVMM01 –Name DEMO-ACL01 –Description "Allow HTTP All, Limit RDP Access"

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 3

As you can see after you create a new ACL, the PortACLRules {} value is empty.

Next, we need to define ACL rules using New-SCPortACLRule –PortACL where <PortACL> is the new ACL created in the previous step.

$SCPortACL = Get-SCPortACL -VMMServer SCVMM01

New-SCPortACLRule -VMMServer SCVMM01 -Name "HTTPRule" -PortACL $SCPortACL -Description "Allow HTTP Rule" -Action Allow -Type Inbound -Priority 100 -Protocol Tcp -SourcePortRange 80 –Verbose

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 4

One important point to mention about Priority in VMM versus Weight in Hyper-V Port ACLs, If you checked my previous post about Hyper-V Virtual Switch Extended Port ACLs in action, you will notice that the higher Weight value will take precedence, however in VMM the lower Priority value will take precedence.

Next, we need to allow RDP access from a specific MGMT subnet.

New-SCPortACLRule -VMMServer SCVMM01 -Name "RDPRule" -PortACL $SCPortACL -Description "Allow RDP Rule From MGMT Subnet" -Action Allow -Type Inbound -Priority 110 -Protocol Tcp -SourcePortRange 3389 -DestinationAddressPrefix 172.16.20.0/24 –Verbose

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 5

Next, we need to allow DNS/AD access for all subnets.

New-SCPortACLRule -VMMServer SCVMM01 -Name "ADDNS-Rule" -PortACL $SCPortACL -Description "Allow AD/DNS Rule" -Action Allow -Type Inbound -Priority 115 -Protocol Any -DestinationAddressPrefix 172.16.20.9 -Verbose

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 6

Last but not least, we will deny all remaining traffic.

New-SCPortACLRule -VMMServer SCVMM01 -Name "DenyALL" -PortACL $SCPortACL -Description "Deny All Rule" -Action Deny -Type Inbound -Priority 120 -Protocol Any -SourcePortRange Any –Verbose

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 7

If you run, Get-SCPortACL you will see four ACL rules that have been added to the ACL.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 8

Attaching Port ACLs

After defining the new ACL and their rules, we need to attach them, Port ACLs can be attached to a VM Network (for No-Isolation type only) or to a VM Subnet (Hyper-V Network Virtualization HNV, VLAN, and External isolation type) and/or to (Virtual Network Adapters). ACL to VM Network/Subnet is a 1:1 relationship. However, one ACL can be attached to multiple Virtual Network Adapters. You can attach the new ACL using the below Powershell cmdlets for each type:

VM Network (only No Isolation type VM Network):

New-SCVMNetwork –PortACL <NetworkAccessControlList> [Rest-of-the-parameters]

Set-SCVMNetwork –PortACL <NetworkAccessControlList> –RemoveNetworkAccessControlList [Rest-of-the-parameters]

These rules will be applied to all VM virtual network adapters connected to this network.

VM Subnet (only VM Subnets – Hyper-V Network Virtualization HNV, VLAN, and External):

New-SCVMSubnet –PortACL <NetworkAccessControlList> [Rest-of-the-parameters]

Set-SCVMSubnet –PortACL <NetworkAccessControlList> –RemoveNetworkAccessControlList [Rest-of-the-parameters]

These rules will be applied to all VM virtual network adapters connected to this Subnet.

Virtual Network Adapter (includes Host vNIC and vmNICs in both cmdlets):

New-SCVirtualNetworkAdapter –PortACL <NetworkAccessControlList> [Rest-of-the-parameters]

Set-SCVirtualNetworkAdapter –PortACL <NetworkAccessControlList> –RemoveNetworkAccessControlList [Rest-of-the-parameters]

These rules can be attached to multiple Virtual Network Adapters including Host vNIC if you are using Converged Network Fabric in VMM

In this demo, I will attach the new ACL to VM Network (No Isolation), so the ACL rule will be applied to all Virtual Machines vmNICs connected to this network.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 9

I will attach the newly created ACL using Set-SCVMNetwork because the VM Network exists in my environment, then followed by the parameter <PortACL> which is the new ACL created in the previous step.

$SCPortACL = Get-SCPortACL -VMMServer SCVMM01 
$SCVMNetwork = Get-SCVMNetwork | where {$_.Name –eq "Corp VM Network"}
Set-SCVMNetwork -VMMServer SCVMM01 -PortACL $SCPortACL -VMNetwork $SCVMNetwork –Verbose 

To confirm if the ACL is attached to VM Network, you can use Get-SCVMNetwork:

Get-SCVMNetwork | Where {$_.Name -eq "Corp VM Network"} | FL Name, IsolationType, PortACL

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 10

Verify ACL and ACL Rules

Now in order to verify and test the ACL and ACL rules that are being applied to the Virtual Machines’ virtual network adapters connected to the VM network, you need to refresh the VM and then remediate the vmNICs in VMM Admin Console.

After you refresh the VM, click on the Fabric Node and then click on Virtual Machines in the Ribbon.  Select the virtual adapter that you applied the ACL to, you should see the Network Compliance show up as “Not Compliant“. When the adapter is in this state, the Remediate button should be enabled.  Click it and the ACL should take effect at this time.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 11

Let’s remediate all adapters and then test the ACL.

After you remediate the vmNIC adapter, you can verify the Extended Port ACL by accessing the Hyper-V host and running (Get-VMNetworkAdapterExtendedAcl)

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 12

As you can see the ACL rules are applied, please remember the Weight in Hyper-V Port ACLs (a higher value will take precedence!).

Let’s see this in action!

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 13

As you can see Ping failed, however HTTP on port 80 is reachable.

The next test is to check RDP access from the management VLAN.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 14

RDP is accessible from the management subnet.

Now let’s check RDP access from a different subnet.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 15

And finally, let’s check other types of traffic…

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 16

Fantastic! everything is working as expected.

Viewing ACL Rules

To view the ACLs & ACL Rules, you can use the following PowerShell cmdlets:

Get-SCPortACL

ParamSet 1: All/By Name

Get-SCPortACL [-Name <>]

ParamSet 2: By id

Get-SCPortACL -Id <> [-Name <>]

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 17

Get-SCPortACLRule

ParamSet 1: All/By Name

Get-SCPortACLRule [-Name <>]

ParamSet 2: By id

Get-SCPortACLRule -Id <>

ParamSet 3: By AccessControlListId

Get-SCPortACLRule –PortACL <NetworkAccessControlList>

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 18

Updating ACL Rules

When you update the ACL attached to virtual network adapters, the changes are reflected in all the network adapter instances using that ACL. For an ACL attached to a VM Subnet or VM Network, all the network adapter instances connected to that subnet/network are updated with the new changes.

Note: The task of updating ACL Rules “physically” on individual network adapters is done in parallel in a one-try best-effort scheme – for those that can’t be updated for any reason are marked “security incompliant” but the task finishes successfully with an error message stating the network adapters that were not updated successfully. Security incompliant here refers to compliance errors on a virtual network adapter due to a mismatch in expected vs actual ACL rules. As per the existing model, the adapter has a compliance state of “Not compliant” along with relevant error messages.

To update an ACL rule, we need to use Set-SCPortACLRule

Set-SCPortACLRule [-PortACLRule] <PortACLRule> [[-Description] <string>] [-Type <PortACLRuleDirection> {Inbound | Outbound}] [-Action <PortACLRuleAction> {Allow | Deny}] [-SourceAddressPrefix <string>] [-SourcePortRange <string>] [-DestinationAddressPrefix <string>] [-DestinationPortRange <string>] [-Protocol <PortACLRuleProtocol> {Tcp | Udp | Any}]

I will update the “DenyAllInbound” rule to deny only a specific IP subnet.

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 19

Set-SCPortACLRule -PortACLRule $SCPortACLRule -DestinationAddressPrefix 172.16.20.0/24

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 20

Deleting ACL & ACL Rules

An ACL can only be deleted if there are no other dependencies attached to it. Dependencies include VMNetwork/VMSubnet/VMNetworkAdapter/GlobalPortACL attached to the ACL. When you try to delete a PortACL using the PowerShell cmdlet it will detect if the PortACL is attached to any of the dependencies and will throw appropriate error messages.

Note that deleting a VM subnet/network adapter automatically removes the association with that ACL. An ACL can also be dis-associated from the subnet/network adapter by modifying the subnet/network adapter.

PowerShell cmdlet to delete an ACL:

Remove-SCPortACL -PortACL <NetworkAccessControlList>

PowerShell cmdlet to delete an ACL rule:

Remove-SCPortACLRule -PortACLRule <NetworkAccessControlListRule>

Step by Step: How To Deploy #Hyper-V Extended Port ACLs in System Center Virtual Machine Manager #SCVMM 21

Out-Of-Band Changes to ACL Rules

If you are doing Out of Band (OOB) changes to ACL Rules from the Hyper-V vSwitch side, VM Refresh in VMM will show the NIC as “Security Incompliant“. The Network Adapter can then be repaired from VMM using the below PowerShell Cmdlet. However, remediation will overwrite all the Rules done from the Hyper-V side with the rules as expected by VMM!

Repair-SCVirtualNetworkAdapter - VirtualNetworkAdapter <VirtualNetworkAdapter>

That’s it there you have it!

You can read more about the Update Rollup 8 for System Center Virtual Machine Manager here.

Until then… see you in the next post!

Cheers,
-Charbel

Photo of author
About the Author:
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Update Rollup 8 for System Center 2012 R2 is Now Available #SysCtr #SystemCenter #SCVMM

Step-by-Step: How to deploy Storage Spaces Tiering in System Center VMM

Next

Let us know what you think, or ask a question...