通过 PowerShell 使用数据中心防火墙配置 ACLUse Datacenter Firewall to configure ACLs with PowerShell

适用于:Azure Stack HCI 版本 20H2;Windows Server 2019、Windows Server 2016Applies to: Azure Stack HCI, version 20H2; Windows Server 2019, Windows Server 2016

本主题介绍了如何通过 Windows PowerShell 将数据中心防火墙用于 Azure Stack HCI 中软件定义的网络 (SDN),以便配置访问控制列表 (ACL) 来管理数据通信流。This topic provides instructions for configuring access control lists (ACLs) to manage data traffic flow using Datacenter Firewall for Software Defined Networking (SDN) in Azure Stack HCI using Windows PowerShell. 可以通过创建应用于子网或网络接口的 ACL 来启用和配置数据中心防火墙。You enable and configure Datacenter Firewall by creating ACLs that get applied to a subnet or a network interface. 本主题中的示例脚本使用从 NetworkController 模块导出的 Windows PowerShell 命令。The example scripts in this topic use Windows PowerShell commands exported from the NetworkController module. 你还可以使用 Windows 管理中心来配置和管理 ACL。You can also use Windows Admin Center to configure and manage ACLs.

配置数据中心防火墙以允许所有流量Configure Datacenter Firewall to allow all traffic

部署 SDN 后,应在新环境中针对基本网络连接性进行测试。Once you deploy SDN, you should test for basic network connectivity in your new environment. 为实现此目的,请为数据中心防火墙创建一个规则,以允许所有网络流量,不设限制。To accomplish this, create a rule for Datacenter Firewall that allows all network traffic, without restriction.

使用下表中的条目创建一组规则,以允许所有入站和出站网络流量。Use the entries in the following table to create a set of rules that allow all inbound and outbound network traffic.

源 IPSource IP 目标 IPDestination IP 协议Protocol Source PortSource Port Destination PortDestination Port 方向Direction 操作Action 优先级Priority
* * AllAll * * 入站Inbound AllowAllow 100100
* * AllAll * * 出站Outbound AllowAllow 110110

在此示例中,你将创建具有两个规则的 ACL:In this example, you create an ACL with two rules:

  1. AllowAll_Inbound - 允许所有网络流量进入配置了此 ACL 的网络接口。AllowAll_Inbound - allows all network traffic to pass into the network interface where this ACL is configured.
  2. AllowAllOutbound - 允许所有流量从网络接口传出。AllowAllOutbound - allows all traffic to pass out of the network interface. 由资源 ID“AllowAll-1”标识的此 ACL 现在已就绪,可在虚拟子网和网络接口中使用。This ACL, identified by the resource ID "AllowAll-1" is now ready to be used in virtual subnets and network interfaces.

首先,通过打开 PowerShell 会话连接到群集节点之一:First, connect to one of the cluster nodes by opening a PowerShell session:

Enter-PSSession <server-name>

然后,运行以下脚本来创建 ACL:Then, run the following script to create the ACL:

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule1 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule1.Properties = $ruleproperties
$aclrule1.ResourceId = "AllowAll_Inbound"
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "110"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule2 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule2.Properties = $ruleproperties
$aclrule2.ResourceId = "AllowAll_Outbound"
$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = @($aclrule1, $aclrule2)
New-NetworkControllerAccessControlList -ResourceId "AllowAll" -Properties $acllistproperties -ConnectionUri <NC REST FQDN>

备注

适用于网络控制器的 Windows PowerShell 命令参考位于网络控制器 cmdlet 主题中。The Windows PowerShell command reference for Network Controller is located in the topic Network Controller cmdlets.

使用 ACL 限制子网上的流量Use ACLs to limit traffic on a subnet

在此示例中,你将创建一个 ACL,用于阻止 192.168.0.0/24 子网中的虚拟机 (VM) 相互通信。In this example, you create an ACL that prevents virtual machines (VMs) within the 192.168.0.0/24 subnet from communicating with each other. 此类型的 ACL 可用于限制攻击者在子网内横向攻击的能力,同时仍允许 VM 接收来自子网外部的请求,以及与其他子网上的其他服务进行通信。This type of ACL is useful for limiting the ability of an attacker to spread laterally within the subnet, while still allowing the VMs to receive requests from outside of the subnet, as well as to communicate with other services on other subnets.

源 IPSource IP 目标 IPDestination IP 协议Protocol Source PortSource Port Destination PortDestination Port 方向Direction 操作Action 优先级Priority
192.168.0.1192.168.0.1 * AllAll * * 入站Inbound AllowAllow 100100
* 192.168.0.1192.168.0.1 AllAll * * 出站Outbound AllowAllow 101101
192.168.0.0/24192.168.0.0/24 * AllAll * * 入站Inbound 阻止Block 102102
* 192.168.0.0/24192.168.0.0/24 AllAll * * 出站Outbound 阻止Block 103103
* * AllAll * * 入站Inbound AllowAllow 104104
* * AllAll * * 出站Outbound AllowAllow 105105

由下面的示例脚本创建的 ACL(由资源 ID Subnet-192-168-0-0 标识)现在可以应用于使用“192.168.0.0/24”子网地址的虚拟网络子网。The ACL created by the example script below, identified by the resource ID Subnet-192-168-0-0, can now be applied to a virtual network subnet that uses the "192.168.0.0/24" subnet address. 附加到该虚拟网络子网的任何网络接口都会自动应用上述 ACL 规则。Any network interface that is attached to that virtual network subnet automatically gets the above ACL rules applied.

下面是一个示例脚本,用于通过网络控制器 REST API 创建此 ACL:The following is an example script to create this ACL using the Network Controller REST API:

import-module networkcontroller
$ncURI = "https://mync.contoso.local"
$aclrules = @()

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "192.168.0.1"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.1"
$ruleproperties.Priority = "101"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Outbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "192.168.0.0/24"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "102"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.0/24"
$ruleproperties.Priority = "103"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Outbound"

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "104"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Inbound"
$aclrules += $aclrule

$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "105"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"

$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Outbound"
$aclrules += $aclrule

$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = $aclrules

New-NetworkControllerAccessControlList -ResourceId "Subnet-192-168-0-0" -Properties $acllistproperties -ConnectionUri $ncURI

将 ACL 添加到网络接口Add an ACL to a network interface

创建 ACL 并将其分配给虚拟子网后,你可能希望将虚拟子网上的默认 ACL 替代为单个网络接口的特定 ACL。Once you've created an ACL and assigned it to a virtual subnet, you might want to override that default ACL on the virtual subnet with a specific ACL for an individual network interface. 从 Windows Server 2019 Datacenter 开始,除了 SDN 虚拟网络之外,还可以将特定 ACL 直接应用于附加到 SDN 逻辑网络的网络接口。Beginning in Windows Server 2019 Datacenter, you can apply specific ACLs directly to network interfaces attached to SDN logical networks, in addition to SDN virtual networks. 如果在连接到网络接口的虚拟子网上设置了 ACL,则会应用这两个 ACL,并且网络接口 ACL 的优先级高于虚拟子网 ACL。If you have ACLs set on the virtual subnet connected to the network interface, both ACLs are applied, and the network interface ACLs are prioritized above the virtual subnet ACLs.

在此示例中,我们演示如何将 ACL 添加到虚拟网络。In this example, we demonstrate how to add an ACL to a virtual network.

提示

还可以在创建网络接口的同时添加 ACL。It is also possible to add an ACL at the same time that you create the network interface.

  1. 获取或创建要将 ACL 添加到其中的网络接口。Get or create the network interface to which you will add the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. 获取或创建将添加到网络接口的 ACL。Get or create the ACL you will add to the network interface.

    $acl = get-networkcontrolleraccesscontrollist -ConnectionUri $uri -ResourceId "AllowAllACL"
    
  3. 将 ACL 分配到该网络接口的 AccessControlList 属性。Assign the ACL to the AccessControlList property of the network interface.

     $nic.properties.ipconfigurations[0].properties.AccessControlList = $acl
    
  4. 在网络控制器中添加网络接口。Add the network interface in Network Controller.

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
    

从网络接口中删除 ACLRemove an ACL from a network interface

在此示例中,我们展示如何从网络接口中删除 ACL。In this example, we show you how to remove an ACL from a network interface. 删除 ACL 会将默认的规则集应用于网络接口。Removing an ACL applies the default set of rules to the network interface. 默认规则集允许所有出站流量,但阻止所有入站流量。The default set of rules allows all outbound traffic but blocks all inbound traffic. 如果要允许所有入站流量,则必须按照前面的示例添加允许所有入站和出站流量的 ACL。If you want to allow all inbound traffic, you must follow the previous example to add an ACL that allows all inbound and all outbound traffic.

  1. 获取将从中删除 ACL 的网络接口。Get the network interface from which you will remove the ACL.

    $nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"
    
  2. 将 $null 分配到 ipConfiguration 的 AccessControlList 属性。Assign $null to the AccessControlList property of the ipConfiguration.

    $nic.properties.ipconfigurations[0].properties.AccessControlList = $null
    
  3. 在网络控制器中添加网络接口对象。Add the network interface object in Network Controller.

    new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
    

防火墙审核Firewall auditing

在 Windows Server 2019 中引入的防火墙审核是数据中心防火墙的一项新功能,它记录 SDN 防火墙规则处理的任何流。Introduced in Windows Server 2019, firewall auditing is a new capability for the Datacenter Firewall that records any flow processed by SDN firewall rules. 将记录已启用日志记录的所有 ACL。All ACLs that have logging enabled are recorded. 日志文件必须采用与 Azure 网络观察程序流日志一致的语法。The log files must be in a syntax that is consistent with the Azure Network Watcher flow logs. 可以使用这些日志进行诊断,也可以将其存档供以后分析。These logs can be used for diagnostics or archived for later analysis.

下面是一个示例脚本,用于在主机服务器上启用防火墙审核。Here is a sample script to enable firewall auditing on the host servers. 请更新开头的变量,并在部署了网络控制器的 Azure Stack HCI 群集上运行此操作:Update the variables at the beginning and run this on an Azure Stack HCI cluster with Network Controller deployed:

$logpath = "C:\test\log1"
$servers = @("sa18n22-2", "sa18n22-3", "sa18n22-4")
$uri = "https://sa18n22sdn.sa18.nttest.microsoft.com"

# Create log directories on the hosts
invoke-command -Computername $servers  {
    param(
        $Path
    )
    mkdir $path    -force
} -argumentlist $LogPath

# Set firewall auditing settings on Network Controller
$AuditProperties = new-object Microsoft.Windows.NetworkController.AuditingSettingsProperties
$AuditProperties.OutputDirectory = $logpath
set-networkcontrollerauditingsettingsconfiguration -connectionuri $uri -properties $AuditProperties -force  | out-null

# Enable logging on each server
$servers = get-networkcontrollerserver -connectionuri $uri
foreach ($s in $servers) {
    $s.properties.AuditingEnabled = @("Firewall")
    new-networkcontrollerserver -connectionuri $uri -resourceid $s.resourceid -properties $s.properties -force | out-null
}

启用后,每台主机上的指定目录中大约一小时会出现一个新文件。Once enabled, a new file appears in the specified directory on each host about once per hour. 应定期处理这些文件并将它们从主机中删除。You should periodically process these files and remove them from the hosts. 当前文件的长度为零。该文件处于锁定状态,一直锁定到在下一个小时标记处进行刷新为止:The current file has zero length and is locked until flushed at the next hour mark:

PS C:\test\log1> dir

    Directory: C:\test\log1

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/19/2018   6:28 AM          17055 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL122803093.json
-a----        7/19/2018   7:28 AM           7880 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL132803173.json
-a----        7/19/2018   8:28 AM           7867 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL142803264.json
-a----        7/19/2018   9:28 AM          10949 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL152803360.json
-a----        7/19/2018   9:28 AM              0 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL162803464.json

这些文件包含一个流事件序列,例如:These files contain a sequence of flow events, for example:

{
    "records": [
        {
            "properties":{
                "Version":"1.0",
                "flows":[
                    {
                        "flows":[
                            {
                                "flowTuples":["1531963580,192.122.0.22,192.122.255.255,138,138,U,I,A"],
                                "portId":"9",
                                "portName":"7290436D-0422-498A-8EB8-C6CF5115DACE"
                            }
                        ],
                        "rule":"Allow_Inbound"
                    }
                ]
            },
            "operationName":"NetworkSecurityGroupFlowEvents",
            "resourceId":"394f647d-2ed0-4c31-87c5-389b8c0c8132",
            "time":"20180719:L012620622",
            "category":"NetworkSecurityGroupFlowEvent",
            "systemId":"d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a"
            },

请注意,只有“日志记录”设置为“启用”的规则才会进行日志记录 ,例如:Note, logging takes place only for rules that have Logging set to Enabled, for example:

{
    "Tags":  null,
    "ResourceRef":  "/accessControlLists/AllowAll",
    "InstanceId":  "4a63e1a5-3264-4986-9a59-4e77a8b107fa",
    "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
    "ResourceMetadata":  null,
    "ResourceId":  "AllowAll",
    "Properties":  {
                       "ConfigurationState":  null,
                       "ProvisioningState":  "Succeeded",
                       "AclRules":  [
                                        {
                                            "ResourceMetadata":  null,
                                            "ResourceRef":  "/accessControlLists/AllowAll/aclRules/AllowAll_Inbound",
                                            "InstanceId":  "ba8710a8-0f01-422b-9038-d1f2390645d7",
                                            "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
                                            "ResourceId":  "AllowAll_Inbound",
                                            "Properties":  {
                                                               "Protocol":  "All",
                                                               "SourcePortRange":  "0-65535",
                                                               "DestinationPortRange":  "0-65535",
                                                               "Action":  "Allow",
                                                               "SourceAddressPrefix":  "*",
                                                               "DestinationAddressPrefix":  "*",
                                                               "Priority":  "101",
                                                               "Description":  null,
                                                               "Type":  "Inbound",
                                                               "Logging":  "Enabled",
                                                               "ProvisioningState":  "Succeeded"
                                                           }
                                        },
                                        {
                                            "ResourceMetadata":  null,
                                            "ResourceRef":  "/accessControlLists/AllowAll/aclRules/AllowAll_Outbound",
                                            "InstanceId":  "068264c6-2186-4dbc-bbe7-f504c6f47fa8",
                                            "Etag":  "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
                                            "ResourceId":  "AllowAll_Outbound",
                                            "Properties":  {
                                                               "Protocol":  "All",
                                                               "SourcePortRange":  "0-65535",
                                                               "DestinationPortRange":  "0-65535",
                                                               "Action":  "Allow",
                                                               "SourceAddressPrefix":  "*",
                                                               "DestinationAddressPrefix":  "*",
                                                               "Priority":  "110",
                                                               "Description":  null,
                                                               "Type":  "Outbound",
                                                               "Logging":  "Enabled",
                                                               "ProvisioningState":  "Succeeded"
                                                           }
                                        }
                                    ],
                       "IpConfigurations":  [

                                            ],
                       "Subnets":  [
                                       {
                                           "ResourceMetadata":  null,
                                           "ResourceRef":  "/virtualNetworks/10_0_1_0/subnets/Subnet1",
                                           "InstanceId":  "00000000-0000-0000-0000-000000000000",
                                           "Etag":  null,
                                           "ResourceId":  null,
                                           "Properties":  null
                                       }
                                   ]
                   }
}

后续步骤Next steps

如需相关信息,另请参阅:For related information, see also: