Windows Server 2012 Hyper-V Port ACLs

There are many reasons why you might want to isolate virtual machines at the NIC level in Hyper-V.  Maybe you have different tenants on a cloud.  Maybe you have some stuff that has high security requirements.  If so, then there’s a new feature in Windows Server 2012 Hyper-V that you’ll like: Port ACLs (access control lists).

Port ACLs allow you to set rules as follows:

  • Local MAC/IP address: what local address does this apply to?
  • Remote IP/MAC address: what remote address does this apply to?  Can be a specific IP address or network address or a wildcard.
  • Action: Do you want to block, allow, or measure traffic that this rule applies to?
  • Direction: Are you apply this rule to inbound traffic, outbound traffic, or traffic in both directions?

It’s important to note that Port ACLs works at the address level and not at the port or protocol level.  If you need that level of granularity, then check out one of the certified Hyper-V Switch extensions that MSFT partners such as Cisco and 5Nine are producing.

Here’s a pair of sample scripts that I use to demo Port ACLs:

Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny
Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action Allow
Get-VMNetworkAdapterAcl -VMName VM60

The above script will:

  • Block all traffic to and from a VM called VM60.
  • Allow traffic to and from 192.168.160 for VM60.  The allow rule overrides the block rule.
  • The third line displays the Port ACL rules that are applied to VM60

In the demo, I ping the default gateway (192.168.1.1).  That stops working when I run this script on the host.  And remember, I can move this VM to another switch or another host, and these Port ACLs should still apply.  I then ping 192.168.1.20 and that works fine.  I return to pinging 192.168.1.1 (which fails) and run this script:

Remove-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny
Remove-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action Allow
Get-VMNetworkAdapterAcl -VMName VM60

The above script will remove the rules that I previously added and displays the remaining rules (none).  Suddenly the failing ping to 192.168.1.1 starts to work.

Rather than just blocking/allowing traffic, you could choose to measure it.  For example, in a hosting environment you might create a rule to meter for traffic to/from the Internet and bill the customer based on that.

With Port ACLs, you have basic built in firewalling for virtual machines, and you have a way to measure traffic.

One thought on “Windows Server 2012 Hyper-V Port ACLs”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.