Set Network ACLs using Windows Azure Powershell Commands
In the latest update of Azure PowerShell commandlets, there is an option to set network ACLS for VM end points. Using this option, you can
- Allow/block access to an endpoint based on the IP address range
- Maximum of 50 ACL rules are possible per VM
- Lower numbered rules take precedence over higher number rules
- If you create a permit ACL, all other IP ranges are blocked.
- Similarly, if you define a Deny rule, All other Ips are permitted
- If no ACLs are defined, it is permit all by default
Steps for setting a permit ACL for a particular IP is given below. Before executing the same, make sure that you have set the subscriptions correctly as per my previous post.
- Create a new acl object
- Create the permit rule and add it to the acl
Set-AzureAclConfig -AddRule -ACL $acl -Order 50 -Action Permit -RemoteSubnet "22.214.171.124/32" -Description "Test-ACL confguration"
Here I am explicitly permitting access from a public IP
- Now we need to apply this rule to the VM endpoint. Inorder to get the available endpoints in the VM, you can use the following command
get-azureVM -ServiceName testvm1 -Name testvm1 |Get-AzureEndpoint
Then you need to set ACL for the required endpoint. In this example, I am going to set an ACL for the RDP endpoint of my test VM
Get-AzureVM -Servicename rmtestmis2 -Name testvm1 | Set-AzureEndpoint -Name 'Remote Desktop' -Protocol tcp -LocalPort 3389 -PublicPort 3389 -ACL $acl | Update-AzureVM
- Once the task is completed successfully, we will test the acl status using the following comand
$endpoint = Get-AzureVM -ServiceName testvm1 -Name testvm1 |Get-AzureEndpoint -Name 'Remote Desktop'