Introduction
As organizations modernize their datacenters using Azure Local SDN (formerly Azure Stack HCI), granular network segmentation becomes critical for ensuring security and compliance. Access Control Lists (ACLs) offer a powerful mechanism to filter traffic at the virtual switch layer, enabling enforcement of fine-grained controls on east-west and north-south communications.
This article dives deep into how ACLs work in Azure Local SDN, explores real-world scenarios for their use, and highlights key limitations that architects and admins must consider.
What Are ACLs in Azure Local?
Access Control Lists (ACLs) in Azure Local SDN are rule-based filters applied to virtual network interfaces. They are evaluated on each packet traversing the vSwitch, either inbound or outbound.
Each ACL rule specifies:
- Direction: Inbound or Outbound
- Action: Allow or Deny
- Priority: Lower numbers are evaluated first
- Match Criteria: IP prefixes, ports, and protocols
ACLs are lightweight, stateless, and operate independently of higher-layer services such as NSGs or firewalls. They can be configured via PowerShell, JSON templates, or Windows Admin Center (WAC).
Inbound vs Outbound ACLs
Use Case Differences
- Inbound ACLs are typically used to block unauthorized access to VMs or services from external or untrusted networks.
- Outbound ACLs restrict traffic leaving a VM, commonly used for data exfiltration prevention or compliance filtering.
Packet Flow Illustration:
Common ACL Scenarios in Azure Local
1. Tenant Isolation
Multi-tenant HCI clusters benefit from ACLs that restrict inter-tenant traffic.
- Deny intra-subnet communication except via approved routes or services.
2. Management Traffic Control
Restrict access to the SDN infrastructure or VM hosts.
- Allow RDP/SSH only from jump boxes or admin networks.
3. DMZ Zoning
Apply ACLs to separate web, app, and DB tiers.
- Allow port 443 to app layer, deny all else.
4. Service Chain Enforcement
Ensure traffic flows through required NVAs or virtual firewalls.
- Deny direct backend access, forcing flows through inspection points.
5. Policy-Based Routing Support
Use ACLs in conjunction with routes to enforce traffic patterns.
- Deny fallback paths to ensure PBR adherence.
ACL Configuration Methods
PowerShell Example
New-SdnAccessControlList -Name "Mgmt-ACL" -Direction Inbound -Action Deny -RemoteAddressPrefix "10.0.0.0/8"Bicep Template Example
resource acl 'Microsoft.Network/virtualNetworks/aclRules@2021-05-01' = {
name: 'AllowWebInbound'
properties: {
direction: 'Inbound'
priority: 100
access: 'Allow'
protocol: 'Tcp'
sourceAddressPrefix: '*'
destinationPortRange: '80'
}
}JSON Snippet Example
{
"name": "DenyAllOutbound",
"properties": {
"direction": "Outbound",
"priority": 4096,
"access": "Deny",
"protocol": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*"
}
}NSG vs ACL vs NSX-T Rule Comparison
| Feature | Azure Local ACLs | Azure NSGs | NSX-T DFW |
|---|---|---|---|
| Stateful | ❌ No | ✅ Yes | ✅ Yes |
| Flow Logging | ❌ No | ✅ Yes | ✅ Yes |
| Automation Support | ✅ Full | ✅ Full | ✅ Full |
| GUI Support | WAC | Azure Portal | NSX Manager |
| Ideal Use | Lightweight L2 | App Tier | Full-stack |
Performance and Scale Caveats
- Stateless: No tracking of connections means ACLs can’t differentiate session flows.
- No Logs: Troubleshooting blocked traffic is difficult without flow analytics.
- Priority Conflicts: Misconfigured priorities can override important rules.
- Latency: High rule counts can impact vSwitch performance.
- Compatibility: May not align with existing NSX or Aria automation pipelines.
Summary Table of ACL Use Cases
| Scenario | ACL Benefit | Potential Limitation |
| Tenant Isolation | Simple enforcement | No visibility or logs |
| DMZ Zoning | Fine-grained rules | Manual rule management |
| Mgmt Lockdown | Strict access | Requires consistent updates |
| Service Chaining | Forces inspection | May break nonstandard flows |
Final Thoughts
Azure Local SDN ACLs offer a fast, low-overhead way to enforce basic traffic filtering policies directly on the virtual switch layer. They excel in microsegmentation and multi-tenant zoning, especially when paired with service chains or policy-based routing.
However, their stateless nature, lack of flow visibility, and operational complexity mean they are best used as part of a layered defense model—not as standalone solutions. Architects should always test ACL configurations in isolated environments before rolling them out broadly.
Disclaimer
This article is based on lab validation and field experience. Please consult official Microsoft Azure Local SDN documentation for production deployments.