MENU

How to Deploy and Manage Software-Defined Networking using SCVMM 2016 – Part III

Posted by Charbel Nemnom on December 9, 2016
Share on Facebook0Share on Google+0Share on LinkedIn1Share on Reddit0Tweet about this on Twitter0
4.5/5 (2)
4.5/52

 Data plane

Introduction

In Part I of this series, we created the tenant virtual network and connecting two VMs to it using System Center Virtual Machine Manager, and then we validated that both VMs can route between each other.

In Part II, we created a public Virtual IP Address (VIP) on the Software Load Balancer (SLB) using VMM console and PowerShell through which we were able to access a website on the virtual network. We also created Site-to-site (S2S) VPN to a Remote site.

In the final Part III, we will be restricting access to the Web server VMs (VM1 and VM2) that we have already deployed in Part I, as well as limiting what the Web server is able to access to only what it needs. This reduces the attack surface of the Web server as well as limits its ability to attack other services if it were to be compromised.

For more information about Extended Port ACLs in VMM, please check the following article:

https://charbelnemnom.com/2015/10/step-by-step-how-to-deploy-hyper-v-extended-port-acls-in-system-center-2012-r2-with-update-rollup-8-hyperv-scvmm/

Please make sure to check Part I so you can have an overview about the infrastructure and the VMM Logical Network that we are using throughout this series.

Add Dynamic Security with Port ACLs

In the following steps, we will be restricting access to the Web server VMs as well as limiting what the Web server is able to access to only what it needs:

As of this writing, Port ACLs in Virtual Machine Manager are managed by Windows PowerShell only.

  1. Open SCVMM Console and click on the “Home” ribbon tab. Click on the PowerShell button in the ribbon.
  2.  To create a new Access Control List (ACL), in the “Windows Powershell console – Virtual Machine Manager” window, type the following command and Press Enter:
  3. To create an inbound rule for HTTP, type the following command and Press Enter:
  4.  To create an inbound rule to block all traffic by default, type the following command and Press Enter:
  5.  To create an outbound rule to allow DNS, type the following command and Press Enter:
  6.  Create an outbound rule to allow HTTP across S2S, type the following command and Press Please update the destination IP address according to your environment.
  7.  To create an outbound rule to block all traffic by default, type the following command and Press Enter:
  8. Last but not least, to apply the rule to the Web server subnet, type the following command and Press Enter: After a few seconds your ACLs will be applied to both Web servers (VM1 and VM2).
  9.  To verify the Virtual IP access, open up Internet Explorer, and navigate to: http://41.40.40.8 (your IP might be different). And confirm that the web page is the “IIS start default page.” As shown in the following screenshot: IIS
  10.  To verify Site-to-site connectivity to the remote site, you can connect to the Web Server VM1 and VM2, open up Internet Explorer. Navigate to: http://60.60.60.1 (your IP might be different) and confirm that the web page opens.
  11.  In the final step, we will verify the ACL restrictions by connecting to “VM2” via console. Open up Internet Explorer and navigate to: http://192.168.1.4 (IP of VM1 web server). The browser should report “This page can’t be displayed”.

Virtual Machine Viewer

 

Summary

In the final part, we restricted access to the Web server VMs as well as limiting what the Web server is able to access to only what it needs. This reduces the attack surface of the Web server as well as limits its ability to attack other services if it were to be compromised.

I hope this series have been informative to you and I would like to thank you for reading!

Related materials:

Views All Time
1
Views Today
4

Please rate this

Return to all posts

Azure Offers now “Bot-as-a-Service” as a new “Serverless” Compute Service
How to Deploy and Manage Software-Defined Networking using SCVMM 2016 - Part II
The following two tabs change content below.
Charbel Nemnom
Microsoft MVP Charbel Nemnom is an accomplished technical professional with over 13 years of broad IT project management and infrastructure experience serving on and guiding technical teams to optimize performance of enterprise systems. He has practical knowledge of complex systems builds, network design and virtualization. Charbel has extensive experience in various systems, focusing on Microsoft Cloud Platform, Hyper-V, Datacenter Management, Cloud Computing, security, data protection, and many types of monitoring tools as well as a solid knowledge of technical reporting.