Powershell function/tool to set/update Azure VM Endpoint Access Control List


One of the nice new features (2014) introduced is Access Control List (ACL) for Azure VM Endpoints. I think of it as a free virtual firewall for each Azure VM. This is a really nice feature because it can be managed and automated from Powershell. It’s also scoped to a single VM which is another nice design feature to minimize possible effects in case of error/mis-configuration.

See this page on How to Set Up Endpoints to a Virtual Machine.

The script can be downloaded from the Microsoft Script Center Repository.

To see a VM Endpoint ACL in Azure management interface:

Get-IPsFromLogs10

where you can view/edit rules in the VM Endpoint ACL manually.

Get-IPsFromLogs12

To get started with Azure Powershell see this post.

This Powershell cmdlet can also be used to show ACL rules (substitute the VM name and Endpoint name as needed of course):

Get-AzureAclConfig -EndpointName 'HTTP' -VM (Get-AzureVM | 
    where { $_.Name -eq 'EG01' }) | FT -Auto 

Get-IPsFromLogs11

The script uses as input an object with 2 properties: IP and Date. Date is used by the script to populate the Description of the rule.

A list of the IPs to block can be obtained from the Get-IPsFromLogs function/tool. This can be used with this function/tool to automate the process of obtaining a list of IPs where a DDOS attack is originating and configure the VM Endpoint ACL to block those IPs. Alternative, the same IP list can be used to configure the Azure VM Windows firewall to block those IPs. I prefer using the VM Endpoint ACL as opposed to the VM Windows firewall since the rule processing happens outside the VM. This offloads the VM processor and other precious resources.

Here’s an example script that puts the Get-IPsFromLogs and Set-AzACL tools together:

$IntakeFolder = "D:\Docs\EG\Intake"
$DoneFolder = "D:\Docs\EG\Done"
$SubscriptionName = "YourSubscription"
$VMName = "EG01"
$EndpointName = "HTTP"
$Threshold = 400
$BlockList = Get-IPsFromLogs -Logs (Get-ChildItem -Path $IntakeFolder).FullName `
-Threshold $Threshold -Verbose 
$BlockList | FT -AutoSize
try {
    $Error.Clear()
    Set-AzACL -IPList $BlockList -SubscriptionName $SubscriptionName `
    -VMName $VMName -EndPointName $EndpointName -Verbose -ErrorAction stop
    Get-ChildItem -Path $IntakeFolder | Move-Item -Destination $DoneFolder 
} catch {
    Write-Warning $Error[0]
}

The folder d:\docs\EG\Intake in this example starts with a group of log files from the C:\Windows\System32\LogFiles\HTTPERR folder.

Get-IPsFromLogs8

2 hours and 15 minutes later, the script found total 2 offending IPs:

Get-IPsFromLogs13One of them put out 11 million requests in under 10 hours.

Note: the last step of updating the ACL takes about 60 seconds, during which access to the VM is interrupted.

I ran the first 12 lines of the short controller script above on another group of log files – 613 of them, and got results like:

Get-IPsFromLogs14

To be cautious, I will only add the top 2 IPs to the ACL:

Set-AzACL -IPList ($BlockList |Select -First 2) -SubscriptionName $SubscriptionName -VMName $VMName -EndPointName $EndpointName -Verbose 

Get-IPsFromLogs15

Advertisements

One response

  1. Pingback: Powershell script to monitor and protect Azure VM against Denial of Service attacks | Sam's Corner

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s