Updating ACL on NNI or External Network
The Nexus Network Fabric offers several methods for updating Access Control Lists (ACLs) applied on NNI or Isolation Domain External Networks. Below are two options:
Option 1: Replace existing ACL
Create a new ACL using the az networkfabric acl create command.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- Set subscription (if necessary):
If you have multiple subscriptions and need to set one as the default, you can do so with:
az account set --subscription <subscription-id>
- Create ACL
Use the az networkfabric acl create command to create the ACL with the desired parameters. Here's a general template:
az networkfabric acl create --resource-group "<resource-group>" --location "<location>" --resource-name "<acl-name>" --annotation "<annotation>" --configuration-type "<configuration-type>" --default-action "<default-action>" --match-configurations "<match-configurations>" --actions "<actions>"
- Update the NNI or External Network by passing a resource ID to
--ingress-acl-idand--egress-acl-idparameter.
az networkfabric nni update --resource-group "<resource-group-name>" --resource-name "<nni-name>" --fabric "<fabric-name>" --ingress-acl-id "<ingress-acl-resource-id>" --egress-acl-id "<egress-acl-resource-id>"
| Parameter | Description |
|---|---|
--resource-group |
Name of the resource group containing the network fabric instance. |
--resource-name |
Name of the network fabric NNI (Network-to-Network Interface) to be updated. |
--fabric |
Name of the fabric where the NNI is provisioned. |
--ingress-acl-id |
Resource ID of the ingress access control list (ACL) for inbound traffic (null for no specific ACL). |
--egress-acl-id |
Resource ID of the egress access control list (ACL) for outbound traffic (null for no specific ACL). |
Note
Based on requirements, either the Ingress, Egress, or both can be updated.
- Commit configuration changes:
Execute fabric commit-configuration to commit the configuration changes.
az networkfabric fabric commit-configuration --resource-group "<resource-group>" --resource-name "<fabric-name>"
| Parameter | Description |
|---|---|
--resource-group |
The name of the resource group containing the Nexus Network Fabric. |
--resource-name |
The name of the Nexus Network Fabric to which the configuration changes will be committed. |
- Verify changes:
Verify the changes using the resource list command.
Option 2: Update existing ACL properties
Use the ACL update command to modify the properties of an existing ACL.
- Update the NNI or External Network by passing a null ID to
--ingress-acl-idand--egress-acl-id.
az networkfabric nni update --resource-group "<resource-group-name>" --resource-name "<nni-name>" --fabric "<fabric-name>" --ingress-acl-id null --egress-acl-id null
| Parameter | Description |
|---|---|
--resource-group |
Name of the resource group containing the network fabric instance. |
--resource-name |
Name of the network fabric NNI (Network-to-Network Interface) to be updated. |
--fabric |
Name of the fabric where the NNI is provisioned. |
--ingress-acl-id |
Resource ID of the ingress access control list (ACL) for inbound traffic (null for no specific ACL). |
--egress-acl-id |
Resource ID of the egress access control list (ACL) for outbound traffic (null for no specific ACL). |
Note
Based on requirements, either the Ingress, Egress, or both can be updated.
- Execute
fabric commit-configuration.
az networkfabric fabric commit-configuration --resource-group "<resource-group>" --resource-name "<fabric-name>"
| Parameter | Description |
|---|---|
--resource-group |
The name of the resource group containing the Nexus Network Fabric. |
--resource-name |
The name of the Nexus Network Fabric to which the configuration changes will be committed. |
- Verify the changes using the
resource listcommand.
Next Steps
Deleting ACLs associated with Network-to-Network Interconnects (NNI)