Hyper-V provides Port Access Control Lists to isolate VM traffic from other VMs on the same virtual LAN. Although...
there are other ways to isolate VM traffic, it's easiest to use Port ACLs. It's important to understand, however, that the Hyper-V Manager GUI doesn't provide a way to configure Port ACLs. Instead, you have to use Hyper-V PowerShell cmdlets to create Port ACLs or Virtual Machine Manager if you're running System Center VMM 2012 R2 with Update Rollup 8.
There are three PowerShell cmdlets associated with Port ACLs: Add-VMNetworkAdapterACL, Remove-VMNetworkAdapterACL and Get-VMNetworkAdapterACL. As the name suggests, Add-VMNetworkAdapterACL adds a new Port ACL rule. The PowerShell cmdlet Remove-VMNetworkAdapterACL removes one or all Port ACL rules associated with a VM and Get-VMNetworkAdapterACL queries Port ACL rules configured on a VM.
When creating a Port ACL rule, you need three pieces of information. First, you need the media access control address, IPv4/IPv6 local or remote address or IP subnet for which the rule is created. This is sometimes referred to as the source of the traffic. The second element you need is the direction of traffic; this can be inbound, outbound or both. The last element you need to mention in a Port ACL rule is the action. Action specifies whether to block or allow traffic. You can also use the Meter value in place of Block or Allow if you'd like to meter the network traffic sent to a customer VM.
To configure a Port ACL rule, execute the command below:
Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress 10.10.10.66 –Direction Both –Action Deny
As you can see, this configures an ACL rule for SQLVM, which specifies that the inbound and outgoing traffic -- indicated by the -Direction Both value -- from the remote computer 10.10.10.66 must be blocked.
If you use the ANY value in place of a local or remote address in the -RemoteIPAddress parameter, it will either allow or block traffic to the VM for any address. An example with the ANY value is shown below:
Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress ANY –Direction Both –Action Deny
If you want to see Port ACL rules associated with a VM, execute the Get-VMNetworkAdapaterACL –VMName SQLVM command. To remove a specific Port ACL rule from a VM, execute Remove-VMNetworkAdapterACL –VMName SQLVM <Rule Parameter>. For example, to remove a specific rule, execute the Remove-VMNetworkAdapterACL –VMName SQLVM –RemoteIPAddress 220.127.116.11 –Direction Both –Action Allow PowerShell command.
If you want to remove all Port ACL rules associated with a particular VM, use Get-VMNetworkAdapterACL in conjunction with the Remove-VMNetworkAdapterACL PowerShell command as shown below:
Get-VMNetworkAdapterACL –VMName SQLVM | Remove-VMNetworkAdapterACL
Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have the Hyper-V role running on Windows Server 2012 or later OSes, and VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.
Navigate different Hyper-V files and folders
Take advantage of new Hyper-V 2016 features
Learn about supported guest OSes in Hyper-V 2016
Dig Deeper on Microsoft Hyper-V management
Related Q&A from Nirmal Sharma
There isn't a set number of virtual processors you should configure for a Hyper-V VM, but there are steps you can take to ensure your workloads ... Continue Reading
VHD File Set -- a file format new to Windows Server 2016 -- is helpful for IT administrators using guest clusters. Get up to speed on the basics and ... Continue Reading
Download and install Microsoft Virtual Machine Converter to gain access to several PowerShell commands that enable VMware VMDK to Hyper-V VHDX ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.