Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to Deploy and Manage Software-Defined Networking using SCVMM 2016 – Part III

  • December 9, 2016
  • 9 min read
Microsoft MVP Charbel Nemnom is an accomplished technical professional with over 13 years of broad IT project management and infrastructure experience serving on and guiding technical teams to optimize performance of enterprise systems. He has practical knowledge of complex systems builds, network design and virtualization. Charbel has extensive experience in various systems, focusing on Microsoft Cloud Platform, Hyper-V, Datacenter Management, Cloud Computing, security, data protection, and many types of monitoring tools as well as a solid knowledge of technical reporting.
Microsoft MVP Charbel Nemnom is an accomplished technical professional with over 13 years of broad IT project management and infrastructure experience serving on and guiding technical teams to optimize performance of enterprise systems. He has practical knowledge of complex systems builds, network design and virtualization. Charbel has extensive experience in various systems, focusing on Microsoft Cloud Platform, Hyper-V, Datacenter Management, Cloud Computing, security, data protection, and many types of monitoring tools as well as a solid knowledge of technical reporting.

Network policy

Introduction

In Part I of this series, we created the tenant virtual network and connecting two VMs to it using System Center Virtual Machine Manager, and then we validated that both VMs can route between each other.

In Part II, we created a public Virtual IP Address (VIP) on the Software Load Balancer (SLB) using VMM console and PowerShell through which we were able to access a website on the virtual network. We also created Site-to-site (S2S) VPN to a Remote site.

In the final Part III, we will be restricting access to the Web server VMs (VM1 and VM2) that we have already deployed in Part I, as well as limiting what the Web server is able to access to only what it needs. This reduces the attack surface of the Web server as well as limits its ability to attack other services if it were to be compromised.

For more information about Extended Port ACLs in VMM, please check the following article:

https://charbelnemnom.com/2015/10/step-by-step-how-to-deploy-hyper-v-extended-port-acls-in-system-center-2012-r2-with-update-rollup-8-hyperv-scvmm/

Please make sure to check Part I so you can have an overview of the infrastructure and the VMM Logical Network that we are using throughout this series.

Add Dynamic Security with Port ACLs

In the following steps, we will be restricting access to the Web server VMs as well as limiting what the Web server is able to access to only what it needs:

As of this writing, Port ACLs in Virtual Machine Manager is managed by Windows PowerShell only.

  1. Open SCVMM Console and click on the “Home” ribbon tab. Click on the PowerShell button in the ribbon.
  2.  To create a new Access Control List (ACL), in the “Windows Powershell console – Virtual Machine Manager” window, type the following command and Press Enter:
  3. To create an inbound rule for HTTP, type the following command and Press Enter:
  4.  To create an inbound rule to block all traffic by default, type the following command and Press Enter:
  5.  To create an outbound rule to allow DNS, type the following command and Press Enter:
  6.  Create an outbound rule to allow HTTP across S2S, type the following command and Press Please update the destination IP address according to your environment.
  7.  To create an outbound rule to block all traffic by default, type the following command and Press Enter:
  8. Last but not least, to apply the rule to the Web server subnet, type the following command and Press Enter: After a few seconds your ACLs will be applied to both Web servers (VM1 and VM2).
  9.  To verify the Virtual IP access, open up Internet Explorer, and navigate to http://41.40.40.8 (your IP might be different). And confirm that the web page is the “IIS start default page.” As shown in the following screenshot: verify the Virtual IP access
  10.  To verify Site-to-site connectivity to the remote site, you can connect to the Web Server VM1 and VM2, open up Internet Explorer. Navigate to: (your IP might be different) and confirm that the web page opens.
  11.  In the final step, we will verify the ACL restrictions by connecting to “VM2” via the console. Open up Internet Explorer and navigate to http://192.168.1.4 (IP of VM1 web server). The browser should report “This page can’t be displayed”.

Virtual Machine Viewer

 

Summary

In the final part, we restricted access to the Web server VMs as well as limiting what the Web server is able to access to only what it needs. This reduces the attack surface of the Web server as well as limits its ability to attack other services if it were to be compromised.

I hope these series have been informative to you and I would like to thank you for reading!

Found Charbel’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!