With the onset of TechEd North America this week there have been a number of announcements made in the Windows Azure space.
As always Scott Guthrie has a great post on his blog outlining most of the new features announced this week.
Cloud Service ACLs
However there was one feature announced that was not mentioned in the above blog post. That is Azure ACLs (Access Control Lists). This feature provides you the ability to permit or deny access to an Azure Virtual Machine endpoint using a subnet address range.
An ACL makes a service endpoint more secure by prohibiting unwanted access. This feature also opens the door to using the Azure load balancing endpoint for internal services like a SQL AlwaysOn controller.
Only in PowerShell
The small caveat to this announcement is that there is no UI portal support for ACLs. At this point to set this up you need to use PowerShell. (As of June 4th 2013)
PS C:\Users\Tyler> Get-Command -Noun AzureAcl* CommandType Name ----------- ---- Cmdlet Get-AzureAclConfig Cmdlet New-AzureAclConfig Cmdlet Remove-AzureAclConfig Cmdlet Set-AzureAclConfig
The Get and Remove commands are executed on a particular VM-endpoint pair. The New and Set commands are executed on the ACL configuration object.
Creating a controlled endpoint
$acl = New-AzureAclConfig Set-AzureAclConfig -ACL $acl -AddRule Permit -RemoteSubnet "22.214.171.124/32" -Description "Tylers Access" -order 1 $vm = Get-AzureVM -ServiceName "mySvc" -Name "web01" Set-AzureEndpoint -VM $vm -Name "internal" -PublicPort 8080 -LocalPort 8080 -ACL $acl Update-AzureVM -VM $vm
Editing a controlled endpoint
One ACL config object can contain many rules. To maintain the object there are three commands used.
-AddRule -RemoveRule -ID <Int32> -SetRule -ID <Int32>
So editing an ACL config object would look like this.
$vm = Get-AzureVM -ServiceName "mysvc" -Name "web01" $acl = Get-AzureAclConfig -EndpointName "Web" -VM $vm Set-AzureAclConfig -SetRule -ID 0 -ACL $acl -Order 102 -Description "New Description" Set-AzureEndpoint -ACL $acl -Name "Web" -VM $vm Update-AzureVM -VM $vm
Or removing a specific rule from an ACL config object
$vm = Get-AzureVM -ServiceName "mysvc" -Name "web01" $acl = Get-AzureAclConfig -EndpointName "Web" -VM $vm Set-AzureAclConfig -RemoveRule -ID 1 -ACL $acl Set-AzureEndpoint -ACL $acl -Name "Web" -VM $vm Update-AzureVM -VM $vm
Removing the ACL from an endpoint
$vm = Get-AzureVM -ServiceName "mysvc" -Name "web01" Remove-AzureAclConfig -EndpointName "web" -VM $vm Update-AzureVM -VM $vm
That is about all that I have for now. Stay tuned for more updates when the portal is updated to support ACL configuration.
Thanks for reading.