Create a Port ACL rule in Hyper-V with PowerShell

Hyper-V provides Port Access Control Lists to isolate VM traffic from other VMs on the same virtual LAN. Although there are other ways to isolate VM traffic, it's easiest to use Port ACLs. It's important to understand, however, that the Hyper-V Manager GUI doesn't provide a way to configure Port ACLs. Instead, you have to use Hyper-V PowerShell cmdlets to create Port ACLs or Virtual Machine Manager if you're running System Center VMM 2012 R2 with Update Rollup 8.

There are three PowerShell cmdlets associated with Port ACLs: Add-VMNetworkAdapterACL, Remove-VMNetworkAdapterACL and Get-VMNetworkAdapterACL. As the name suggests, Add-VMNetworkAdapterACL adds a new Port ACL rule. The PowerShell cmdlet Remove-VMNetworkAdapterACL removes one or all Port ACL rules associated with a VM and Get-VMNetworkAdapterACL queries Port ACL rules configured on a VM.

When creating a Port ACL rule, you need three pieces of information. First, you need the media access control address, IPv4/IPv6 local or remote address or IP subnet for which the rule is created. This is sometimes referred to as the source of the traffic. The second element you need is the direction of traffic; this can be inbound, outbound or both. The last element you need to mention in a Port ACL rule is the action. Action specifies whether to block or allow traffic. You can also use the Meter value in place of Block or Allow if you'd like to meter the network traffic sent to a customer VM.

To configure a Port ACL rule, execute the command below:

Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress 10.10.10.66 –Direction Both –Action Deny

As you can see, this configures an ACL rule for SQLVM, which specifies that the inbound and outgoing traffic -- indicated by the -Direction Both value -- from the remote computer 10.10.10.66 must be blocked.

If you use the ANY value in place of a local or remote address in the -RemoteIPAddress parameter, it will either allow or block traffic to the VM for any address. An example with the ANY value is shown below:

Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have Hyper-V role running on Windows Server 2012 or later OSes. Also, VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.

Add-VMNetworkAdapterACL –VMName “SQLVM” –RemoteIPAddress ANY –Direction Both –Action Deny

If you want to see Port ACL rules associated with a VM, execute the Get-VMNetworkAdapaterACL –VMName SQLVM command. To remove a specific Port ACL rule from a VM, execute Remove-VMNetworkAdapterACL –VMName SQLVM <Rule Parameter>. For example, to remove a specific rule, execute the Remove-VMNetworkAdapterACL –VMName SQLVM –RemoteIPAddress 192.160.10.10 –Direction Both –Action Allow PowerShell command.

If you want to remove all Port ACL rules associated with a particular VM, use Get-VMNetworkAdapterACL in conjunction with the Remove-VMNetworkAdapterACL PowerShell command as shown below:

Get-VMNetworkAdapterACL –VMName SQLVM | Remove-VMNetworkAdapterACL

Note that the Port ACL rule was introduced in Windows Server 2012, so you need to have the Hyper-V role running on Windows Server 2012 or later OSes, and VMs must be connected to the Hyper-V virtual switch before the Port ACL rules can be created.