Merge pull request #265852 from joemarshallmsft/joe/nexus-acls

v-ccolin · web-flow · commit 7d3b7454d489 · 2024-02-22T11:45:34.000Z
Overview article for ACLs
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -22,6 +22,8 @@
           href: concepts-network-fabric-controller.md
         - name: Network Fabric Services
           href: concepts-network-fabric-services.md
+        - name: Access Control Lists
+          href: concepts-access-control-lists.md
     - name: Nexus Kubernetes
       href: concepts-nexus-kubernetes-cluster.md
     - name: Observability
@@ -215,3 +217,10 @@
       href: reference-near-edge-storage.md
     - name: Limits & quotas
       href: reference-limits-and-quotas.md
+    - name: Access Control Lists
+      expanded: false
+      items:
+        - name: Access Control List configuration
+          href: reference-acl-configuration.md
+        - name: Access Control List configuration examples
+          href: reference-acl-examples.md
diff --git a/articles/operator-nexus/concepts-access-control-lists.md b/articles/operator-nexus/concepts-access-control-lists.md
@@ -0,0 +1,66 @@
+---
+title: Azure Operator Nexus Access Control Lists Overview
+description: Get an overview of Access Control Lists for Azure Operator Nexus.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+ms.date: 02/09/2024
+ms.custom: template-concept
+---
+
+# Access Control Lists Overview
+
+An Access Control List (ACL) is a list of rules that control the inbound and outbound flow of packets through an interface. The interface can be an Ethernet interface, a sub interface, a port channel interface, or the switch control plane itself.
+
+An ACL that is applied to incoming packets is called an **Ingress ACL**. An ACL that is applied to outgoing packets is called an **Egress ACL**.
+
+An ACL has a Traffic-Policy definition including a set of match criteria and respective actions. The Traffic-Policy can match various conditions and perform actions such as count, drop, log, or police.
+
+The available match criteria depend on the ACL type:
+
+-   IPv4 ACLs can match IPv4 source or destination addresses, with L4 modifiers including protocol, port number, and DSCP value.
+
+-   IPv6 ACLs can match IPv6 source or destination addresses, with L4 modifiers including protocol, port number.
+
+-   Standard IPv4 ACLs can match only on source IPv4 address.
+
+-   Standard IPv6 ACLs can match only on source IPv6 address.
+
+ACLs can be either static or dynamic. Static ACLs are processed in order, beginning with the first rule and proceeding until a match is encountered. Dynamic ACLs use the payload keyword to turn an ACL into a group like PortGroups, VlanGroups, IPGroups for use in other ACLs. A dynamic ACL provides the user with the ability to enable or disable ACLs based on access session requirements.
+
+ACLs can be applied to Network to Network interconnect (NNI) or External Network resources. An NNI is a child resource of a Network Fabric. ACLs can be created and linked to an NNI before the Network Fabric is provisioned. ACLs can be updated or deleted after the Network Fabric is deprovisioned.
+
+This table summarizes the resources that can be associated with an ACL:
+
+
+| Resource Name                         | Supported                            | Default               |
+|--|--|--|
+| NNF                              | Yes                                  | All Production SKUs    |
+| Isolation Domain                      | Yes on External Network with optionA | NA                    |
+| Network to network interconnect(NNI) | Yes                                  | NA                    |
+
+## Traffic policy
+
+A traffic policy is a set of rules that control the flow of packets in and out of a network interface. This section explains the match criteria and actions available for distinct types of network resources.
+
+-   **Match Configuration**: The conditions that are used to match packets. You can match on various attributes, including:
+    - IP address
+    - Transport protocol
+    - Port
+    - VLAN ID
+    - DSCP
+    - Ethertype
+    - IP fragmentation
+    - TTL
+
+    Each match criterion has a name, a sequence number, an IP address type, and a list of match conditions. A packet matches the configuration if it meets all the criteria. For example, a match configuration of `protocol tcp, source port 100, destination port 200` matches packets that use the TCP protocol, with source port 100 and destination port 200.
+
+-   **Actions**: The operations that are performed on the matched packets, including:
+    - Count
+    - Permit
+    - Drop
+
+    Each match criterion can have one or more actions associated with it.
+
+-   **Dynamic match configuration**: An optional feature that allows the user to define custom match conditions using field sets and user-defined fields. Field sets are named groups of values that can be used in match conditions, such as port numbers, IP addresses, VLAN IDs, etc. Dynamic match configuration can be provided inline or in a file stored in a blob container. For example, `field-set tcpport1 80, 443, 8080` defines a field set named tcpport1 with three port values, and `user-defined-field gtpv1-tid payload 0 32` defines a user-defined field named gtpv1-tid that matches the first 32 bits of the payload.
diff --git a/articles/operator-nexus/reference-acl-configuration.md b/articles/operator-nexus/reference-acl-configuration.md
@@ -0,0 +1,64 @@
+---
+title: Azure Operator Nexus Access Control Lists Configuration
+description: Detailed configuration for Azure Operator Nexus Access Control Lists.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.service: azure-operator-nexus
+ms.topic: reference
+ms.date: 02/09/2024
+---
+
+# Access Control List Configuration
+
+A traffic policy MATCHING CONFIGURATION defines the conditions and parameters for matching criteria in a traffic policy. A traffic policy is used by an Access Control List (ACL) to control the flow of packets into or out of network interfaces based on match criteria and the related actions. A traffic policy can match packets using properties including:
+
+-   **dot1q**: the VLAN ID in the 802.1Q tag.
+
+-   **ethertype**: the EtherType field in the Ethernet header.
+
+-   **fragment**: whether the packet is an IP fragment.
+
+-   **protocol**: the transport protocol type, such as TCP, UDP, ICMP, or IGMP.
+
+-   **source**: the source IP address, port number or port range.
+
+-   **destination**: the destination IP address, port number or port range.
+
+-   **ttl**: the time-to-live (TTL) value in the IP header.
+
+-   **dscp**: the differentiated services code point (DSCP) value in the IP header.
+
+## Example match conditions
+
+-   **Match on source and destination IP prefixes**: You can use the source prefix and destination prefix conditions to match on the IP addresses of a packet. For example, `source prefix 10.0.0.0/24` matches any packet with a source IP address in the range of 10.0.0.0 to 10.0.0.255. You can also use the longest prefix option to match the most specific prefix. For example, `destination longest-prefix 10.0.0.0/24 10.0.0.128/25` will match any packet with a destination IP address in the range of 10.0.0.128 to 10.0.0.255, but not 10.0.0.0. to 10.0.0.127.
+
+-   **Match on protocol**: You can use the protocol condition to match on the transport protocol of a packet, such as TCP, UDP, or ICMP. You can also specify the protocol number, such as 1 for ICMP, 6 for TCP, and 17 for UDP. For example, `protocol tcp` will match any packet with TCP as the protocol.
+-  **Match on port numbers**: When the transport protocol uses ports (multiplexing), you can use the source port and destination port conditions to match the port numbers of the packets. For example, `protocol tcp destination port 80` will match any packet with TCP as the protocol and 80 as the destination port number. You can also use a list of ports, a range of ports, or a field-set name to match on multiple port numbers. For example, `protocol udp source port 53, 67-69, field-set udpport1` will match any packet with UDP as the protocol and 53, 67, 68, 69, or any port number in the field-set `udpport1` as the source port number.
+
+-   **Match on DSCP value**: You can use the dscp condition to match on the differentiated services code point (DSCP) value of the packets. The DSCP value is a 6-bit field in the IP header that indicates the quality of service (QoS) level of the packets.
+
+## Dynamic match configuration
+
+Dynamic match configuration uses field-sets to simplify and reuse the match conditions for user-defined fields. You can store the user-defined field and the field-set definitions in a file in your own Azure storage account blob container and provide the blob URL in the aclsUrl property in the ACL payload. The file content needs to be sent to the Southbound utility service separately after generating the base config.
+
+Dynamic match configuration makes it easier to handle complex matching scenarios like these:
+
+-   **Match on VLAN and DSCP values using field-sets**: You can use the dot1q and dscp conditions to match on the VLAN and DSCP values of the packets. You can also use field-sets to simplify and reuse the match conditions for VLAN and DSCP values. For example, you can define a field-set named `voice-vlan` with a list of VLAN IDs that are used for voice traffic, such as 100, 200, and 300. Then, you can use the field-set name in the match condition, such as `dot1q vlan field-set voice-vlan`, to match any packet with a VLAN ID in the voice-vlan field-set. Similarly, you can define a field-set named `voice-dscp` with a list of DSCP values that are used for voice traffic, such as 40, 46, and 48. Then, you can use the field-set name in the match condition, such as `dscp field-set voice-dscp`, to match any packet with a DSCP value in the `voice-dscp` field-set.
+
+-   **Match on source and destination IP prefixes using field-sets**: You can also use field-sets to simplify and reuse the match conditions for IP prefixes. For example, you can define a field-set named `internal-networks` with a list of IP prefixes that belong to your internal network, such as 10.0.0.0/24 or 172.16.0.0/24. Then, you can use the field-set name in the match condition, such as `source prefix field-set internal-networks`, to match any packet with a source IP address in the internal network.
+
+You can store the field-set definition in a file in your own Azure storage account blob container and provide the blob URL in the aclsUrl property in the ACL payload.
+
+## Configuration parameters for an Access Control List
+
+| Parameter | Description | Example |
+|--|--|--|
+| **resource-group** |The name of the resource group where the network fabric is located. | `example-rg` |
+| **location** | The location of the network fabric | `eastus2euap` |
+| **resource-name** | The name of the ACL. | `example-Ipv4ingressACL` |
+| **configuration-type** | The type of configuration for the ACL. It can be either `Inline` or `File`. | `Inline` |
+| **default-action** | The default action to be taken for the ACL. It can be either `Permit` or `Deny`. | `Permit` |
+| **match-configurations** | The list of match configurations for the ACL. Each match configuration has a name, a sequence number, an IP address type, a list of match conditions, and a list of actions. | `[{matchConfigurationName:'example-match',sequenceNumber:123,ipAddressType:IPv4,matchConditions:[...],actions:[...]}]` |
+| **dynamic-match-configurations** | The list of dynamic match configurations for the ACL. Each dynamic match configuration has a list of IP groups, VLAN groups, and port groups. | `[{ipGroups:[...],vlanGroups:[...],portGroups:[...]}]` |
+| **acls-url** | The URL of the ACLs file. This parameter is required only if the configuration-type is `File`. | `https://ACL-Storage-URL` |
+| **annotation** | An optional annotation for the ACL. | `annotation` |
diff --git a/articles/operator-nexus/reference-acl-examples.md b/articles/operator-nexus/reference-acl-examples.md
@@ -0,0 +1,146 @@
+---
+title: Azure Operator Nexus Access Control Lists Examples
+description: Examples of configuring and creating Azure Operator Nexus Access Control Lists.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.service: azure-operator-nexus
+ms.topic: reference
+ms.date: 02/09/2024
+---
+
+# Access Control List Creation and Configuration Examples
+
+This article gives examples of how to create and update Access Control Lists (ACLS).
+
+## Overview of the ACL create flow
+
+Creating an Access Control List (ACL) associated with a Network-to-Network Interconnect (NNI) involves these steps:
+
+-   Create a Network Fabric resource and add an NNI child resource to it.
+
+-   Create ingress and egress ACL resources using the `az networkfabric acl create` command. You can provide match configurations and the default action for the ACL. You can also provide dynamic match configurations either inline, or in a file stored in your Azure storage account blob container.
+
+-   Update the NNI resource with the ingress and egress ACL IDs using the `az networkfabric nni update` command. You need to provide valid ACL resource IDs in the `--ingress-acl-id` and `--egress-acl-id` parameters.
+
+-   Provision the Network Fabric resource using the `az networkfabric fabric provision` command. This generates the base configuration and the dynamic match configuration for the ACLs and sends them to the devices.
+
+## Overview of the ACL update flow
+
+-   Create ingress and egress ACL resources using `az networkfabric acl create` as described in the previous section.
+
+-   Update the ingress or egress ACL using the `az networkfabric acl update` command.
+
+-   Verify the configuration state of the ACL is `accepted`.
+
+-   Verify the configuration state of the fabric is `accepted`.
+
+-   Execute Fabric Commit to update the ACL.
+
+## Example commands
+
+### Access Control list on a Network-to-Network Interconnect
+
+This example shows you how to create an NNI with two ACLs - one for ingress and one for egress.
+
+The ACLs must be applied before provisioning the Network Fabric. This limitation is temporary and will be removed in future release. The ingress and egress ACLs are created before the NNI resource and referenced when the NNI is created, which also triggers the creation of the ACLs. This configuration must be done before provisioning the network fabric.
+
+#### Create ingress ACL: example command
+
+```azurecli
+az networkfabric acl create \
+    --resource-group "example-rg"
+    --location "eastus2euap" \
+    --resource-name "example-Ipv4ingressACL" \
+    --configuration-type "Inline" \
+    --default-action "Permit" \
+    --dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['10.20.3.1/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]" \
+    --match-configurations "[{matchConfigurationName:'example-match',sequenceNumber:123,ipAddressType:IPv4,matchConditions:[{etherTypes:['0x1'],fragments:['0xff00-0xffff'],ipLengths:['4094-9214'],ttlValues:[23],dscpMarkings:[32],portCondition:{flags:[established],portType:SourcePort,layer4Protocol:TCP,ports:['1-20']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['20-30'],innerVlans:[30]},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.20.20.20/12']}}],actions:[{type:Count,counterName:'example-counter'}]}]"
+```
+
+#### Create egress ACL: example command
+
+```azurecli
+az networkfabric acl create \
+    --resource-group "example-rg" \
+    --location "eastus2euap" \
+    --resource-name "example-Ipv4egressACL" \
+    --configuration-type "File" \
+    --acls-url "https://ACL-Storage-URL" \
+    --default-action "Permit" \
+    --dynamic-match-configurations "[{ipGroups:[{name:'example-ipGroup',ipAddressType:IPv4,ipPrefixes:['10.20.3.1/20']}],vlanGroups:[{name:'example-vlanGroup',vlans:['20-30']}],portGroups:[{name:'example-portGroup',ports:['100-200']}]}]"
+```
+
+### Access Control List on an isolation domain external network
+
+Use the `az networkfabric acl create` command to create ingress and egress ACLs for the external network. In the example, we specify the resource group, name, location, network fabric ID, external network ID, and other parameters. You can also specify the match conditions and actions for the ACL rules using the `--match` and `--action` parameters.
+
+This command creates an ingress ACL named `acl-ingress` that allows ICMP traffic from any source to the external network:
+
+```azurecli
+az networkfabric acl create \
+    --resource-group myResourceGroup \
+    --name acl-ingress \
+    --location eastus \
+    --network-fabric-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.NetworkFabric/networkFabrics/myNetworkFabric \
+    --external-network-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.NetworkFabric/externalNetworks/ext-net \
+    --match "ip protocol icmp" \
+    --action allow
+```
+
+Use the `az networkfabric externalnetwork update` command to update the external network with the resource group, name, and network fabric ID. You also need to specify the ingress and egress ACL IDs using the `--ingress-acl-id` and `--egress-acl-id` parameters. For example, the following command updates the external network named `ext-net` to reference the ingress ACL named `acl-ingress`:
+
+```azurecli
+az networkfabric externalnetwork update \
+    --resource-group myResourceGroup \
+    --name ext-net \
+    --network-fabric-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.NetworkFabric/networkFabrics/myNetworkFabric \
+    --ingress-acl-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.NetworkFabric/acls/acl-ingress
+```
+
+### More example scenarios and commands
+
+To create an egress ACL for an NNI that denies all traffic except for HTTP and HTTPS, you can use this command:
+
+```azurecli
+az networkfabric acl create \
+    --name acl-egress \
+    --resource-group myResourceGroup \
+    --nni-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.NetworkFabric/networkInterfaces/myNni \
+    --match "ip protocol tcp destination port 80 or 443" \
+    --action allow \
+    --default-action deny
+```
+
+To update an existing ACL to add a new match condition and action, you can use this command:
+
+```azurecli
+az networkfabric acl update \
+    --name acl-ingress \
+    --resource-group myResourceGroup \
+    --match "ip protocol icmp" \
+    --action allow \
+    --append-match-configurations
+```
+
+To list all the ACLs in a resource group, you can use this command:
+
+```azurecli
+az networkfabric acl list --resource-group myResourceGroup
+```
+
+To show the details of a specific ACL, you can use this command:
+
+```azurecli
+az networkfabric acl show \
+    --name acl-ingress \
+    --resource-group myResourceGroup
+```
+
+To delete an ACL, you can use this command:
+
+```azurecli
+az networkfabric acl delete \
+    --name acl-egress \
+    --resource-group myResourceGroup
+```
+
