In the latest update of Azure PowerShell commandlets, there is an option to set network ACLS for VM end points. Using this option, you can
- Allow/block access to an endpoint based on the IP address range
- Maximum of 50 ACL rules are possible per VM
- Lower numbered rules take precedence over higher number rules
- If you create a permit ACL, all other IP ranges are blocked.
- Similarly, if you define a Deny rule, All other Ips are permitted
- If no ACLs are defined, it is permit all by default
Steps for setting a permit ACL for a particular IP is given below. Before executing the same, make sure that you have set the subscriptions correctly as per my previous post.
- Create a new acl object
- Create the permit rule and add it to the acl
Set-AzureAclConfig -AddRule -ACL $acl -Order 50 -Action Permit -RemoteSubnet "220.127.116.11/32" -Description "Test-ACL confguration"
Here I am explicitly permitting access from a public IP
- Now we need to apply this rule to the VM endpoint. Inorder to get the available endpoints in the VM, you can use the following command
get-azureVM -ServiceName testvm1 -Name testvm1 |Get-AzureEndpoint
Then you need to set ACL for the required endpoint. In this example, I am going to set an ACL for the RDP endpoint of my test VM
Get-AzureVM -Servicename rmtestmis2 -Name testvm1 | Set-AzureEndpoint -Name 'Remote Desktop' -Protocol tcp -LocalPort 3389 -PublicPort 3389 -ACL $acl | Update-AzureVM
- Once the task is completed successfully, we will test the acl status using the following comand
$endpoint = Get-AzureVM -ServiceName testvm1 -Name testvm1 |Get-AzureEndpoint -Name 'Remote Desktop'