Network Access Control List Capability in Windows Azure Powershell
In the most recent Windows Azure Powershell release we introduced Public Endpoint Network Access Control Lists (ACLs). It is a security enhancement available for your Windows Azure deployment. An ACL provides the capability to selectively permit or deny traffic for virtual machine endpoint. You can use a Network ACL for the following scenarios:
- Allowing access to services only from a select range of IP addresses
- Blacklisting IP addresses
Network ACLs provide the capability to:
- Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to an input endpoint of a virtual machine
- Create multiple rules per virtual machine endpoint
- Specify up to 50 ACL rules per virtual machine endpoint
- Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
How a network ACL works
When a virtual machine is created a default ACL is put in place to block all incoming traffic. If an endpoint is created, say for RDP (port 3389), then the default ACL is modified to allow all inbound traffic for that endpoint. Inbound traffic from any remote subnet is allowed to that endpoint provided appropriate firewall provisioning is done for that port on the VM. All other ports are blocked for inbound traffic unless endpoints are created for those ports. Outbound traffic is allowed by default.
When an ACL is specified, the packet filtering happens on the host node of your VM. This prevents your VM from spending precious CPU cycles on packet filtering. While the default ACL may suit your purposes, there may be situations where you want to create a new ACL object and apply it to the virtual machine endpoint.
Default ACL table
|Rule #||Remote Subnet||Endpoint||Permit/Deny|
Network ACLs and permit/deny
You can selectively permit or deny network traffic for an input endpoint of a virtual machine by creating rules that permit or deny communication.
Points to consider:
- No ACL – By default on creating an endpoint, we do permit all for the endpoint.
- Permit – When you add one or more “permit” range, you are denying all other ranges by default. Only packets from the permitted IP range will be able to communicate with the virtual machine endpoint.
- Deny – When you add one or more “deny” range, you are permitting all other ranges of traffic by default.
- Combination of Permit and Deny – You can use a combination of “permit” and “deny” when you want to carve out a specific IP range to be permitted or denied.
- Get-AzureACLConfig [-VM ] [-EndpointName ]
- Remove-AzureACLConfig [-VM ] [-EndpointName ]
Set-AzureAclConfig [-AddRule ] [-RemoveRule] [-SetRule ]
[-ACL ] [-RuleID ] [-Order ] [-Action ] [-RemoteSubnet ] [-Description ]
- Add-AzureEndpoint (-ACL Parameter)
- Set-AzureEndpoint (-ACL Parameter)
Network ACLs and rule precedence
Network ACLs can be set up on a specific virtual machine endpoint. For example, you can specify multiple rules for the network ACL on your load balanced endpoint on port 1433. When multiple rules are specified, we follow a lowest takes precedence rule order. In the example below, network access is to be permitted for remote subnet IPv4 address 220.127.116.11/8, but a smaller range within this is to be denied access. Specifying the deny rule with lower rule # will achieve this scenario as illustrated below.
|Rule #||Remote Subnet||Endpoint||Permit/Deny|
Create the new network ACL object.
$acl = New-AzureAclConfig # Set a rule that permits access from a remote subnet. In the example # below, you set rule 100 (which has priority over rule 200 and higher) # to allow the remote subnet 10.0.0.0/8 access to the virtual # machine endpoint. Replace the values with your own configuration # requirements. The name "SharePoint ACL config" should be replaced # with the friendly #name that you want to call this rule. Set-AzureAclConfig –AddRule –ACL $acl –Order 100 –Action Deny ` –RemoteSubnet "18.104.22.168/24" –Description "Deny rule ACL config" #Output: RuleId : 0 Order : 100 Action : Deny RemoteSubnet : 22.214.171.124/24 Description : Deny rule ACL config # For additional rules, repeat the cmdlet, replacing the values with your # own configuration requirements. Be sure to change the rule number Order # to reflect the order in which you want the rules to be applied. # The lower rule number takes precedence over the higher number. Set-AzureAclConfig –AddRule –ACL $acl –Order 200 –Action Permit ` –RemoteSubnet "126.96.36.199/8" –Description "Multi-tier app ACL config" #Output: RuleId : 0 Order : 100 Action : Deny RemoteSubnet : 188.8.131.52/24 Description : Deny rule ACL config RuleId : 1 Order : 200 Action : Permit RemoteSubnet : 184.108.40.206/8 Description : Multi-tier app ACL config # Update the ACL config object values with your own configuration requirements. # Be sure to change the rule number Order to reflect the order in which # you want the rules to be applied. The lower rule number takes precedence # over the higher number. Get-AzureVM –ServiceName sqlserveralwayson –Name sqlvm1 | Set-AzureEndpoint –Name SQLEndpoint –Protocol tcp –LocalPort 1433 ` –PublicPort 1433 –ACL $acl | Update-AzureVM #Output: OperationDescription OperationId OperationStatus -------------------- ----------- --------------- Update-AzureVM ad302fbc-0b17-4cd1-845c-54988563dc9e Succeeded # You can query the ACL configuration on an endpoint by doing the following. $endpoint = Get-AzureVM -ServiceName sqlserveralwayson -Name sqlvm1 | Get-AzureEndpoint -Name SQLEndpoint $endpoint.acl #Output: RuleId : 0 Order : 100 Action : Deny RemoteSubnet : 220.127.116.11/24 Description : Deny rule ACL config RuleId : 1 Order : 200 Action : Permit RemoteSubnet : 18.104.22.168/8 Description : Multi-tier app ACL config
Network ACLs and Load Balanced Set
Network ACLs can be specified on a Load balanced set (LB Set) endpoint. In that case, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with “Port 80” and the LB Set contains 3 VMs. The Network ACL created on endpoint “Port 80” of one VM will automatically apply to the other VMs.
Custom probe can be specified on a Load Balanced Set to determine the health of a VM. Custom probe can be specified on any port in the VM, due to a current limitation in Azure, custom probe must be specified on a port different from the load balanced endpoint. In the example below, probe port is specified:
Set-AzureLoadBalancedEndpoint –ServiceName sqlserveralwayson –LBSetName "MySQLLBSet" ` –Protocol tcp –LocalPort 1433 –PublicPort 1433 –ProbePort 80 ` –ProbeProtocolTcp –ACL $acl | Update-AzureVM # Output: OperationDescription OperationId OperationStatus -------------------- ----------- --------------- Set-AzureLoadBalancedEndpoint cc47e80a-3ad2-45f3-a1cf-6feeb149d317 Succeeded
In summary, the following cmdlets have been introduced for Network ACLs.
Network ACLs feature is exposed for Virtual Machine endpoint in this release, but stay tuned for more improvements in this area. As the Windows Azure team augments the capabilities and provides support for other endpoint types and roles. They will also be fixing the limitation on requiring custom probe and load balanced endpoint being on different ports.