Skip to content

Commit 712b4c7

Browse files
bnichmsBrian Nicholsisra-fel
authored
Az.StackHCI Attestation firewall and network updates (#16935)
* Az.StackHCI Attestation network updates * Update src/StackHCI/ChangeLog.md Co-authored-by: Brian Nichols <[email protected]> Co-authored-by: Yeming Liu <[email protected]>
1 parent eca070a commit 712b4c7

File tree

3 files changed

+146
-2
lines changed

3 files changed

+146
-2
lines changed

src/StackHCI/Az.StackHCI.psm1

Lines changed: 141 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3458,7 +3458,7 @@ param(
34583458
}
34593459
else
34603460
{
3461-
Write-Warning "Found additional IMDS configuration on guest $($VM.Name) adapter count=$($adapterCount)"
3461+
Write-Information ("Found additional IMDS configuration on guest $($VM.Name) adapter count=$($adapterCount)")
34623462
$vmAdapter = $foundAdapter[0]
34633463
}
34643464

@@ -3509,6 +3509,25 @@ param(
35093509
}
35103510
try
35113511
{
3512+
$ignoreAdaptersParams = @{
3513+
Path = "HKLM:\system\currentcontrolset\services\clussvc\parameters"
3514+
Name = "ExcludeAdaptersByFriendlyName"
3515+
}
3516+
$propVal = $VmSwitchParams.Name
3517+
$propExists = Get-ItemProperty @ignoreAdaptersParams -ErrorAction SilentlyContinue
3518+
3519+
if ($propExists)
3520+
{
3521+
$existingEntries = $propExists.ExcludeAdaptersByFriendlyName -Split ","
3522+
if ($existingEntries -notcontains $propVal)
3523+
{
3524+
$existingEntries += $propVal
3525+
}
3526+
$propVal = $existingEntries -Join ","
3527+
}
3528+
3529+
New-ItemProperty @ignoreAdaptersParams -Value $propVal -Force -ErrorAction SilentlyContinue | Out-Null
3530+
35123531
Write-Information "Searching for previous IMDS switch"
35133532
if ($VmSwitchParams.SwitchId)
35143533
{
@@ -3545,6 +3564,32 @@ param(
35453564

35463565
$hostNetAdapter = $hostNetAdapter | Rename-NetAdapter -NewName $hostSwitch.Name -PassThru -ErrorAction SilentlyContinue
35473566

3567+
$hostBindings = $hostNetAdapter | Get-NetAdapterBinding | Where-Object { $_.ComponentID -ne "ms_tcpip" }
3568+
3569+
$hostBindings | Disable-NetAdapterBinding
3570+
3571+
$retry = 2
3572+
while ($retry -ne 0)
3573+
{
3574+
$clusInterface = Get-ClusterNetworkInterface | Where-Object {$_.AdapterId -eq ($hostNetAdapter.DeviceId -replace "[{}]","")}
3575+
3576+
if (($clusInterface | Measure-Object).Count -eq 0)
3577+
{
3578+
Write-Verbose "Retrying..."
3579+
$retry--
3580+
Start-Sleep 2
3581+
continue
3582+
}
3583+
3584+
$notAttestationNet = ($clusInterface.Network | Get-ClusterNetworkInterface | Where-Object {$_.Name -notlike "*$($hostNetAdapter.Name)*"})
3585+
3586+
if (($notAttestationNet | Measure-Object).Count -eq 0)
3587+
{
3588+
($clusInterface.Network).Role = 0
3589+
break
3590+
}
3591+
}
3592+
35483593
$HostAdapterVlanCommonParams = @{
35493594
VMNetworkAdapter = $hostVMNetAdapter
35503595
}
@@ -3576,6 +3621,99 @@ param(
35763621
return $ret.Return
35773622
}
35783623

3624+
function Set-AttestationFirewallRules{
3625+
param(
3626+
[bool] $Enabled,
3627+
[hashtable] $SessionParams
3628+
)
3629+
$sc = {
3630+
param([bool]$Enabled)
3631+
3632+
$TemplateFirewallRuleBlockCommon = @{
3633+
Group = "Azure Stack HCI"
3634+
Enabled = "True"
3635+
Profile = "Any"
3636+
Action = "Block"
3637+
EdgeTraversalPolicy = "Block"
3638+
LooseSourceMapping = $False
3639+
LocalOnlyMapping = $False
3640+
LocalAddress = "169.254.169.253"
3641+
RemoteAddress = "Any"
3642+
RemotePort = "Any"
3643+
IcmpType = "Any"
3644+
Program = "Any"
3645+
Service = "Any"
3646+
InterfaceAlias = "Any"
3647+
InterfaceType = "Any"
3648+
LocalUser = "Any"
3649+
RemoteUser = "Any"
3650+
RemoteMachine = "Any"
3651+
Authentication = "NotRequired"
3652+
Encryption = "NotRequired"
3653+
}
3654+
3655+
$TemplateFirewallRuleBlockTcpOutgoing = @{
3656+
Name = "AzsHci-ImdsAttestation-Block-TCP-Out"
3657+
DisplayName = "Azure Stack HCI IMDS Attestation (TCP-Out)"
3658+
Description = "Outbound rule to block all traffic for Attestation interface [TCP]"
3659+
Direction = "Outbound"
3660+
Protocol = "TCP"
3661+
LocalPort = "Any"
3662+
} + $TemplateFirewallRuleBlockCommon
3663+
3664+
$TemplateFirewallRuleBlockTcpIncoming = @{
3665+
Name = "AzsHci-ImdsAttestation-Block-TCP-In"
3666+
DisplayName = "Azure Stack HCI IMDS Attestation (TCP-In)"
3667+
Description = "Inbound rule to block all traffic for Attestation interface [TCP]"
3668+
Direction = "Inbound"
3669+
Protocol = "TCP"
3670+
LocalPort = @("1-79","81-65535")
3671+
} + $TemplateFirewallRuleBlockCommon
3672+
3673+
$TemplateFirewallRuleBlockUdpOutgoing = @{
3674+
Name = "AzsHci-ImdsAttestation-Block-UDP-Out"
3675+
DisplayName = "Azure Stack HCI IMDS Attestation (UDP-Out)"
3676+
Description = "Outbound rule to block all traffic for Attestation interface [UDP]"
3677+
Direction = "Outbound"
3678+
Protocol = "UDP"
3679+
LocalPort = "Any"
3680+
} + $TemplateFirewallRuleBlockCommon
3681+
3682+
$TemplateFirewallRuleBlockUdpIncoming = @{
3683+
Name = "AzsHci-ImdsAttestation-Block-UDP-In"
3684+
DisplayName = "Azure Stack HCI IMDS Attestation (UDP-In)"
3685+
Description = "Inbound rule to block all traffic for Attestation interface [UDP]"
3686+
Direction = "Inbound"
3687+
Protocol = "UDP"
3688+
LocalPort = "Any"
3689+
} + $TemplateFirewallRuleBlockCommon
3690+
3691+
$DisplayGroup = "@FirewallAPI.dll,-55001"
3692+
3693+
$firewallRules = @($TemplateFirewallRuleBlockTcpOutgoing, $TemplateFirewallRuleBlockTcpIncoming, $TemplateFirewallRuleBlockUdpOutgoing, $TemplateFirewallRuleBlockUdpIncoming)
3694+
3695+
foreach ($rule in $firewallRules)
3696+
{
3697+
$foundRule = Get-NetFirewallRule -Name ($rule.Name) -ErrorAction SilentlyContinue
3698+
3699+
if (!$foundRule)
3700+
{
3701+
New-NetFirewallRule @rule
3702+
$tmpRule = Get-NetFirewallRule -Name ($rule.Name)
3703+
$tmpRule.Group = $DisplayGroup
3704+
$tmpRule | Set-NetFirewallRule
3705+
}
3706+
3707+
Set-NetFirewallRule -Name ($rule.Name) -Enabled $($Enabled.ToString())
3708+
}
3709+
3710+
# Also set the embedded rule with OS
3711+
Set-NetFirewallRule -Name "AzsHci-ImdsAttestation-Allow-In" -Enabled $($Enabled.ToString())
3712+
}
3713+
3714+
$ret = Invoke-Command @SessionParams -ScriptBlock $sc -ArgumentList $Enabled
3715+
}
3716+
35793717

35803718
$TemplateHostImdsParams = @{
35813719
Name = "AZSHCI_HOST-IMDS_DO_NOT_MODIFY"
@@ -3805,7 +3943,7 @@ param(
38053943
Invoke-Command @SessionParams -ScriptBlock { param($switchId); Set-AzureStackHCIAttestation -SwitchId $switchId } -ArgumentList $attestationSwitchId | Out-Null
38063944
}
38073945

3808-
$firewallRule = Invoke-Command @SessionParams -ScriptBlock { param($ruleName) Enable-NetFirewallRule -Name $ruleName } -ArgumentList $TemplateHostImdsParams["NetFirewallRuleName"]
3946+
Set-AttestationFirewallRules -SessionParams $SessionParams -Enabled $True
38093947

38103948
$nodeAttestation = (Invoke-Command @SessionParams -ScriptBlock { Get-AzureStackHCIAttestation })
38113949

@@ -4043,6 +4181,7 @@ param(
40434181

40444182
Invoke-Command @SessionParams -ScriptBlock { param($switchId); Set-AzureStackHCIAttestation -SwitchId $switchId } -ArgumentList ([Guid]::Empty) | Out-Null
40454183

4184+
Set-AttestationFirewallRules -SessionParams $SessionParams -Enabled $False
40464185
$nodeAttestation = (Invoke-Command @SessionParams -ScriptBlock { Get-AzureStackHCIAttestation })
40474186
$disableImdsOutput = New-Object -TypeName PSObject
40484187
$disableImdsOutput | Add-Member -MemberType NoteProperty -Name ComputerName -Value ($nodeAttestation.ComputerName)

src/StackHCI/ChangeLog.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
- Additional information about change #1
1919
-->
2020
## Upcoming Release
21+
* Updated firewall rules for Attestation network to block all other traffic
22+
* Updated cluster to ignore Attestation network
2123

2224
## Version 1.1.0
2325
* Adding support cmdlet for Remote Support

tools/StaticAnalysis/Exceptions/Az.StackHCI/SignatureIssues.csv

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,3 +6,6 @@
66
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","2","8200","Unregister-AzStackHCI changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."
77
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","1","8600","Cmdlet 'Unregister-AzStackHCI' has no defined output type.","Add an OutputType attribute that declares the type of the object(s) returned by this cmdlet. If this cmdlet returns no output, please set the output type to 'bool' and make sure to implement the 'PassThru' parameter."
88
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","1","8420","Parameter set '__AllParameterSets' of cmdlet 'Unregister-AzStackHCI' contains at least one parameter with a position larger than four, which is discouraged.","Limit the number of positional parameters in a single parameter set to four or fewer."
9+
"Az.StackHCI","Get-AzStackHCIVMAttestation","Get-AzStackHCIVMAttestation","2","8010","Get-AzStackHCIVMAttestation Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue"
10+
"Az.StackHCI","Get-AzStackHCIVMAttestation","Get-AzStackHCIVMAttestation","2","8200","Get-AzStackHCIVMAttestation changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."
11+
"Az.StackHCI","Set-AzStackHCI","Set-AzStackHCI","2","8200","Set-AzStackHCI changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."

0 commit comments

Comments
 (0)