Skip to content

Az.StackHCI Attestation firewall and network updates #16935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 2, 2022
Merged

Az.StackHCI Attestation firewall and network updates #16935

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
76cfc18
Az.StackHCI Attestation network updates
Mar 30, 2022
ba054a2
Update src/StackHCI/ChangeLog.md
isra-fel Mar 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 141 additions & 2 deletions src/StackHCI/Az.StackHCI.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3458,7 +3458,7 @@ param(
}
else
{
Write-Warning "Found additional IMDS configuration on guest $($VM.Name) adapter count=$($adapterCount)"
Write-Information ("Found additional IMDS configuration on guest $($VM.Name) adapter count=$($adapterCount)")
$vmAdapter = $foundAdapter[0]
}

Expand Down Expand Up @@ -3509,6 +3509,25 @@ param(
}
try
{
$ignoreAdaptersParams = @{
Path = "HKLM:\system\currentcontrolset\services\clussvc\parameters"
Name = "ExcludeAdaptersByFriendlyName"
}
$propVal = $VmSwitchParams.Name
$propExists = Get-ItemProperty @ignoreAdaptersParams -ErrorAction SilentlyContinue

if ($propExists)
{
$existingEntries = $propExists.ExcludeAdaptersByFriendlyName -Split ","
if ($existingEntries -notcontains $propVal)
{
$existingEntries += $propVal
}
$propVal = $existingEntries -Join ","
}

New-ItemProperty @ignoreAdaptersParams -Value $propVal -Force -ErrorAction SilentlyContinue | Out-Null

Write-Information "Searching for previous IMDS switch"
if ($VmSwitchParams.SwitchId)
{
Expand Down Expand Up @@ -3545,6 +3564,32 @@ param(

$hostNetAdapter = $hostNetAdapter | Rename-NetAdapter -NewName $hostSwitch.Name -PassThru -ErrorAction SilentlyContinue

$hostBindings = $hostNetAdapter | Get-NetAdapterBinding | Where-Object { $_.ComponentID -ne "ms_tcpip" }

$hostBindings | Disable-NetAdapterBinding

$retry = 2
while ($retry -ne 0)
{
$clusInterface = Get-ClusterNetworkInterface | Where-Object {$_.AdapterId -eq ($hostNetAdapter.DeviceId -replace "[{}]","")}

if (($clusInterface | Measure-Object).Count -eq 0)
{
Write-Verbose "Retrying..."
$retry--
Start-Sleep 2
continue
}

$notAttestationNet = ($clusInterface.Network | Get-ClusterNetworkInterface | Where-Object {$_.Name -notlike "*$($hostNetAdapter.Name)*"})

if (($notAttestationNet | Measure-Object).Count -eq 0)
{
($clusInterface.Network).Role = 0
break
}
}

$HostAdapterVlanCommonParams = @{
VMNetworkAdapter = $hostVMNetAdapter
}
Expand Down Expand Up @@ -3576,6 +3621,99 @@ param(
return $ret.Return
}

function Set-AttestationFirewallRules{
param(
[bool] $Enabled,
[hashtable] $SessionParams
)
$sc = {
param([bool]$Enabled)

$TemplateFirewallRuleBlockCommon = @{
Group = "Azure Stack HCI"
Enabled = "True"
Profile = "Any"
Action = "Block"
EdgeTraversalPolicy = "Block"
LooseSourceMapping = $False
LocalOnlyMapping = $False
LocalAddress = "169.254.169.253"
RemoteAddress = "Any"
RemotePort = "Any"
IcmpType = "Any"
Program = "Any"
Service = "Any"
InterfaceAlias = "Any"
InterfaceType = "Any"
LocalUser = "Any"
RemoteUser = "Any"
RemoteMachine = "Any"
Authentication = "NotRequired"
Encryption = "NotRequired"
}

$TemplateFirewallRuleBlockTcpOutgoing = @{
Name = "AzsHci-ImdsAttestation-Block-TCP-Out"
DisplayName = "Azure Stack HCI IMDS Attestation (TCP-Out)"
Description = "Outbound rule to block all traffic for Attestation interface [TCP]"
Direction = "Outbound"
Protocol = "TCP"
LocalPort = "Any"
} + $TemplateFirewallRuleBlockCommon

$TemplateFirewallRuleBlockTcpIncoming = @{
Name = "AzsHci-ImdsAttestation-Block-TCP-In"
DisplayName = "Azure Stack HCI IMDS Attestation (TCP-In)"
Description = "Inbound rule to block all traffic for Attestation interface [TCP]"
Direction = "Inbound"
Protocol = "TCP"
LocalPort = @("1-79","81-65535")
} + $TemplateFirewallRuleBlockCommon

$TemplateFirewallRuleBlockUdpOutgoing = @{
Name = "AzsHci-ImdsAttestation-Block-UDP-Out"
DisplayName = "Azure Stack HCI IMDS Attestation (UDP-Out)"
Description = "Outbound rule to block all traffic for Attestation interface [UDP]"
Direction = "Outbound"
Protocol = "UDP"
LocalPort = "Any"
} + $TemplateFirewallRuleBlockCommon

$TemplateFirewallRuleBlockUdpIncoming = @{
Name = "AzsHci-ImdsAttestation-Block-UDP-In"
DisplayName = "Azure Stack HCI IMDS Attestation (UDP-In)"
Description = "Inbound rule to block all traffic for Attestation interface [UDP]"
Direction = "Inbound"
Protocol = "UDP"
LocalPort = "Any"
} + $TemplateFirewallRuleBlockCommon

$DisplayGroup = "@FirewallAPI.dll,-55001"

$firewallRules = @($TemplateFirewallRuleBlockTcpOutgoing, $TemplateFirewallRuleBlockTcpIncoming, $TemplateFirewallRuleBlockUdpOutgoing, $TemplateFirewallRuleBlockUdpIncoming)

foreach ($rule in $firewallRules)
{
$foundRule = Get-NetFirewallRule -Name ($rule.Name) -ErrorAction SilentlyContinue

if (!$foundRule)
{
New-NetFirewallRule @rule
$tmpRule = Get-NetFirewallRule -Name ($rule.Name)
$tmpRule.Group = $DisplayGroup
$tmpRule | Set-NetFirewallRule
}

Set-NetFirewallRule -Name ($rule.Name) -Enabled $($Enabled.ToString())
}

# Also set the embedded rule with OS
Set-NetFirewallRule -Name "AzsHci-ImdsAttestation-Allow-In" -Enabled $($Enabled.ToString())
}

$ret = Invoke-Command @SessionParams -ScriptBlock $sc -ArgumentList $Enabled
}


$TemplateHostImdsParams = @{
Name = "AZSHCI_HOST-IMDS_DO_NOT_MODIFY"
Expand Down Expand Up @@ -3805,7 +3943,7 @@ param(
Invoke-Command @SessionParams -ScriptBlock { param($switchId); Set-AzureStackHCIAttestation -SwitchId $switchId } -ArgumentList $attestationSwitchId | Out-Null
}

$firewallRule = Invoke-Command @SessionParams -ScriptBlock { param($ruleName) Enable-NetFirewallRule -Name $ruleName } -ArgumentList $TemplateHostImdsParams["NetFirewallRuleName"]
Set-AttestationFirewallRules -SessionParams $SessionParams -Enabled $True

$nodeAttestation = (Invoke-Command @SessionParams -ScriptBlock { Get-AzureStackHCIAttestation })

Expand Down Expand Up @@ -4043,6 +4181,7 @@ param(

Invoke-Command @SessionParams -ScriptBlock { param($switchId); Set-AzureStackHCIAttestation -SwitchId $switchId } -ArgumentList ([Guid]::Empty) | Out-Null

Set-AttestationFirewallRules -SessionParams $SessionParams -Enabled $False
$nodeAttestation = (Invoke-Command @SessionParams -ScriptBlock { Get-AzureStackHCIAttestation })
$disableImdsOutput = New-Object -TypeName PSObject
$disableImdsOutput | Add-Member -MemberType NoteProperty -Name ComputerName -Value ($nodeAttestation.ComputerName)
Expand Down
2 changes: 2 additions & 0 deletions src/StackHCI/ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
- Additional information about change #1
-->
## Upcoming Release
* Updated firewall rules for Attestation network to block all other traffic
* Updated cluster to ignore Attestation network

## Version 1.1.0
* Adding support cmdlet for Remote Support
Expand Down
3 changes: 3 additions & 0 deletions tools/StaticAnalysis/Exceptions/Az.StackHCI/SignatureIssues.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,6 @@
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","2","8200","Unregister-AzStackHCI changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","1","8600","Cmdlet 'Unregister-AzStackHCI' has no defined output type.","Add an OutputType attribute that declares the type of the object(s) returned by this cmdlet. If this cmdlet returns no output, please set the output type to 'bool' and make sure to implement the 'PassThru' parameter."
"Az.StackHCI","Unregister-AzStackHCI","Unregister-AzStackHCI","1","8420","Parameter set '__AllParameterSets' of cmdlet 'Unregister-AzStackHCI' contains at least one parameter with a position larger than four, which is discouraged.","Limit the number of positional parameters in a single parameter set to four or fewer."
"Az.StackHCI","Get-AzStackHCIVMAttestation","Get-AzStackHCIVMAttestation","2","8010","Get-AzStackHCIVMAttestation Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue"
"Az.StackHCI","Get-AzStackHCIVMAttestation","Get-AzStackHCIVMAttestation","2","8200","Get-AzStackHCIVMAttestation changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."
"Az.StackHCI","Set-AzStackHCI","Set-AzStackHCI","2","8200","Set-AzStackHCI changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact."