Hyper-V provides Port Access Control Lists to isolate VM traffic from other VMs on the same virtual LAN. Although there are other ways to isolate VM traffic, it's easiest to use Port ACLs. It's important to understand, however, that the Hyper-V Manager GUI doesn't provide a way to configure Port ACLs. Instead, you have to use Hyper-V PowerShell cmdlets to create Port ACLs or Virtual Machine Manager if you're running System Center VMM 2012 R2 with Update Rollup 8.
There are three PowerShell cmdlets associated with Port ACLs: Add-VMNetworkAdapterACL, Remove-VMNetworkAdapterACL and Get-VMNetworkAdapterACL. As the name suggests, Add-VMNetworkAdapterACL adds a new Port ACL rule. The PowerShell cmdlet Remove-VMNetworkAdapterACL removes one or all Port ACL rules associated with a VM and Get-VMNetworkAdapterACL queries Port ACL rules configured on a VM.
When creating a Port ACL rule, you need three pieces of information. First, you need the media access control address, IPv4/IPv6 local or remote address or IP subnet for which the rule is created. This is sometimes referred to as the source of the traffic. The second element you need is the direction of traffic; this can be inbound, outbound or both. The last element you need to mention in a Port ACL rule is the action. Action specifies whether to block or allow traffic. You can also use the Meter value in place of Block or Allow if you'd like to meter the network traffic sent to a customer VM.
To configure a Port ACL rule, execute the command below:
Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress 10.10.10.66 –Direction Both –Action Deny
As you can see, this configures an ACL rule for SQLVM, which specifies that the inbound and outgoing traffic -- indicated by the -Direction Both value -- from the remote computer 10.10.10.66 must be blocked.
If you use the ANY value in place of a local or remote address in the -RemoteIPAddress parameter, it will either allow or block traffic to the VM for any address. An example with the ANY value is shown below:
Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress ANY –Direction Both –Action Deny
If you want to see Port ACL rules associated with a VM, execute the Get-VMNetworkAdapaterACL –VMName SQLVM command. To remove a specific Port ACL rule from a VM, execute Remove-VMNetworkAdapterACL –VMName SQLVM <Rule Parameter>. For example, to remove a specific rule, execute the Remove-VMNetworkAdapterACL –VMName SQLVM –RemoteIPAddress 126.96.36.199 –Direction Both –Action Allow PowerShell command.
If you want to remove all Port ACL rules associated with a particular VM, use Get-VMNetworkAdapterACL in conjunction with the Remove-VMNetworkAdapterACL PowerShell command as shown below:
Get-VMNetworkAdapterACL –VMName SQLVM | Remove-VMNetworkAdapterACL
Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have the Hyper-V role running on Windows Server 2012 or later OSes, and VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.
Navigate different Hyper-V files and folders
Take advantage of new Hyper-V 2016 features
Learn about supported guest OSes in Hyper-V 2016
Dig Deeper on Microsoft Hyper-V management
Related Q&A from Nirmal Sharma
Use System Center Virtual Machine Manager and PowerShell to make logical network management easy. Execute a script to display network virtualization ... Continue Reading
Hyper-V replication is easy to use, but there are a number of steps you should take during Hyper-V replication setup to ensure you stay abreast of ... Continue Reading
Manage Hyper-V clusters more easily with PowerShell cmdlets and scripts that automate the retrieval and display of node information, including node ... Continue Reading