Get started Bring yourself up to speed with our introductory content.

Create a Port ACL rule in Hyper-V with PowerShell

Not only can you create Port ACL rules in Hyper-V using PowerShell commands, you can also remove rules associated with a VM and query rules configured to a VM.

Hyper-V provides Port Access Control Lists to isolate VM traffic from other VMs on the same virtual LAN. Although...

there are other ways to isolate VM traffic, it's easiest to use Port ACLs. It's important to understand, however, that the Hyper-V Manager GUI doesn't provide a way to configure Port ACLs. Instead, you have to use Hyper-V PowerShell cmdlets to create Port ACLs or Virtual Machine Manager if you're running System Center VMM 2012 R2 with Update Rollup 8.

There are three PowerShell cmdlets associated with Port ACLs: Add-VMNetworkAdapterACL, Remove-VMNetworkAdapterACL and Get-VMNetworkAdapterACL. As the name suggests, Add-VMNetworkAdapterACL adds a new Port ACL rule. The PowerShell cmdlet Remove-VMNetworkAdapterACL removes one or all Port ACL rules associated with a VM and Get-VMNetworkAdapterACL queries Port ACL rules configured on a VM.

When creating a Port ACL rule, you need three pieces of information. First, you need the media access control address, IPv4/IPv6 local or remote address or IP subnet for which the rule is created. This is sometimes referred to as the source of the traffic. The second element you need is the direction of traffic; this can be inbound, outbound or both. The last element you need to mention in a Port ACL rule is the action. Action specifies whether to block or allow traffic. You can also use the Meter value in place of Block or Allow if you'd like to meter the network traffic sent to a customer VM.

To configure a Port ACL rule, execute the command below:

Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress –Direction Both –Action Deny

As you can see, this configures an ACL rule for SQLVM, which specifies that the inbound and outgoing traffic -- indicated by the -Direction Both value -- from the remote computer must be blocked.

If you use the ANY value in place of a local or remote address in the -RemoteIPAddress parameter, it will either allow or block traffic to the VM for any address. An example with the ANY value is shown below:

Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have Hyper-V role running on Windows Server 2012 or later OSes. Also, VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.

Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress ANY –Direction Both –Action Deny

If you want to see Port ACL rules associated with a VM, execute the Get-VMNetworkAdapaterACL –VMName SQLVM command. To remove a specific Port ACL rule from a VM, execute Remove-VMNetworkAdapterACL –VMName SQLVM <Rule Parameter>. For example, to remove a specific rule, execute the Remove-VMNetworkAdapterACL –VMName SQLVM –RemoteIPAddress –Direction Both –Action Allow PowerShell command.

If you want to remove all Port ACL rules associated with a particular VM, use Get-VMNetworkAdapterACL in conjunction with the Remove-VMNetworkAdapterACL PowerShell command as shown below:

Get-VMNetworkAdapterACL –VMName SQLVM | Remove-VMNetworkAdapterACL

Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have the Hyper-V role running on Windows Server 2012 or later OSes, and VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.

Next Steps

Navigate different Hyper-V files and folders

Take advantage of new Hyper-V 2016 features

Learn about supported guest OSes in Hyper-V 2016

This was last published in September 2017

Dig Deeper on Microsoft Hyper-V management



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What are some strategies you use when creating Hyper-V Port ACL rules?