Eksportér (0) Udskriv
Udvid alt
EN
Dette indhold er ikke tilgængeligt på dit sprog, men her er den engelske version.

Managing Access Control Lists (ACLs) for Endpoints by using PowerShell

Updated: February 6, 2014

You can create and manage Network Access Control Lists (ACLs) for endpoints by using Windows Azure PowerShell or in the Management Portal. In this topic, you’ll find procedures for ACL common tasks that you can complete using PowerShell. For the list of Windows Azure PowerShell cmdlets see Windows Azure Management Cmdlets. For more information about ACLs, see About Network Access Control Lists (ACLs). If you want to manage your ACLs by using the Management Portal, see How to Set Up Endpoints to a Virtual Machine.

You can use Windows Azure PowerShell cmdlets to create, remove, and configure (set) Network Access Control Lists (ACLs). We’ve included a few examples of some of the ways you can configure an ACL using PowerShell.

To retrieve a complete list of the ACL PowerShell cmdlets, you can use either of the following:

  • get-help *-AzureACL*

  • get-command -module azure -name *ACL*

The example below illustrates a way to create a new ACL that contains rules. This ACL is then applied to a virtual machine endpoint. The ACL rules in the example below will allow access from a remote subnet. To create a new Network ACL with permit rules for a remote subnet, open a Windows Azure PowerShell ISE. Copy and paste the script below, configuring the script with your own values, and then run the script.

  1. Create the new network ACL object.

    C:\PS>$acl1 = New-AzureAclConfig
    
  2. Set a rule that permits access from a remote subnet. In the example below, you set rule 100 (which has priority over rule 200 and higher) to allow the remote subnet 10.0.0.0/8 access to the virtual machine endpoint. Replace the values with your own configuration requirements. The name “SharePoint ACL config” should be replaced with the friendly name that you want to call this rule.

    C:\PS> Set-AzureAclConfig –AddRule –ACL $acl1 –Order 100 –Action permit –RemoteSubnet “10.0.0.0/8” –Description “SharePoint ACL config”
    
  3. For additional rules, repeat the cmdlet, replacing the values with your own configuration requirements. Be sure to change the rule number Order to reflect the order in which you want the rules to be applied. The lower rule number takes precedence over the higher number.

    C:\PS> Set-AzureAclConfig –AddRule –ACL $acl1 –Order 200 –Action permit –RemoteSubnet “157.0.0.0/8” –Description “web frontend ACL config”
    
  4. Next, you can either create a new endpoint (Add) or set the ACL for an existing endpoint (Set). In this example, we will add a new virtual machine endpoint called “web” and update the virtual machine endpoint with the ACL settings.

    Get-AzureVM –ServiceName $serviceName –Name $vmName |
    Add-AzureEndpoint –Name “web” –Protocol tcp –Localport 80 - PublicPort 80 –ACL $acl1 |
    Update-AzureVM 
    
    
  5. Next, combine the cmdlets and run the script. For this example, the combined cmdlets would look like this:

    $acl1 = New-AzureAclConfig
    Set-AzureAclConfig –AddRule –ACL $acl1 –Order 100 –Action permit –RemoteSubnet “10.0.0.0/8” –Description “Sharepoint ACL config”
    Set-AzureAclConfig –AddRule –ACL $acl1 –Order 200 –Action permit –RemoteSubnet “157.0.0.0/8” –Description “web frontend ACL config”
    Get-AzureVM –ServiceName $serviceName –Name $vmName |
    Add-AzureEndpoint –Name “web” –Protocol tcp –Localport 80 - PublicPort 80 –ACL $acl1 |
    Update-AzureVM 
    
    

The example below illustrates a way to remove a network ACL rule. To remove a Network ACL rule with permit rules for a remote subnet, open a Windows Azure PowerShell ISE. Copy and paste the script below, configuring the script with your own values, and then run the script.

  1. First step is to get the Network ACL object for the virtual machine endpoint. You’ll then remove the ACL rule. In this case, we are removing it by rule ID. This will only remove the rule ID 0 from the ACL. It does not remove the ACL object from the virtual machine endpoint.

    C:\PS> Get-AzureVM –ServiceName $serviceName –Name $vmName |
    Get-AzureAclConfig –EndpointName “web” | 
    Set-AzureAclConfig –RemoveRule –ID 0 –ACL $acl1 
    
    
  2. Next, you must apply the Network ACL object to the virtual machine endpoint and update the virtual machine.

    C:\PS> Get-AzureVM –ServiceName $serviceName –Name $vmName |
    Set-AzureEndpoint –ACL $acl1 –Name “web” | 
    Update-AzureVM
    
    

In certain scenarios, you might want to remove a Network ACL object from a virtual machine endpoint. To do that, open a Windows Azure PowerShell ISE. Copy and paste the script below, configuring the script with your own values, and then run the script.

C:\PS>Get-AzureVM –ServiceName $serviceName –Name $vmName |
Remove-AzureAclConfig –EndpointName “web” | 
Update-AzureVM

See Also

Vis:
© 2014 Microsoft