Powershell DSC Extension: Opening Firewall Ports with DSC

April 06, 2018

I am NOT a systems administrator. But as I’m studying for the 70-532 exam one of the objectives is using the Powershell DSC extension. Most of the basic examples I’ve seen revolve around installing IIS was good but I wanted to try something else. So I decided to try opening firewall ports with DSC.

For most of the IaaS studying I’ve been experimenting with manually setting up a Docker Swarm cluster, so that’s the example I’ll use in this post too.

Wait, what’s DSC?

DSC stands for Desired State Configuration. It’s an automation tool that sysadmins use to put a server into a desired state so that it will have all of the dependencies needed to run an application, such as IIS, opening the appropriate ports, etc.

Determine What Ports to Open

The first thing you need to do is determine what ports you want to open. The documentation for running Swarm in Server 2016 says it requires the following:

  • TCP 2377
  • TCP/UDP 7946
  • UDP 4789

Creating the DSC Config

There are already DSC resources for managing firewall rules but they aren’t distributed with Windows by default. I downloaded them from Github and included them in my deployment package. The one we’re looking for for managing firewall rules is xNetworking. If some DSC expert out there reading this knows of a better way to do it, please let me know in the comments.

The configuration is relatively simple. The Azure DSC extension will deploy and run this on each of the nodes in the cluster, so our config will only have a single “localhost” node. From there we just create two xFirewall configs specifying the name, protocols, ports, etc we need to allow. The full configuration looks like this:

Configuration DockerSwarm
$NodeName = 'localhost'
Import-DscResource -ModuleName xNetworking
Node $NodeName
xFirewall DockerSwarmTCP
Name = 'DockerSwarmTCP'
DisplayName = 'Docker Swarm (TCP-in)'
Action = 'Allow'
Direction = 'Inbound'
LocalPort = ('2377', '7946')
Protocol = 'TCP'
Profile = 'Any'
Enabled = 'True'
xFirewall DockerSwarmUDP
Name = 'DockerSwarmUDP'
DisplayName = 'Docker Swarm (UDP-in)'
Action = 'Allow'
Direction = 'Inbound'
LocalPort = ('7946', '4789')
Protocol = 'UDP'
Profile = 'Any'
Enabled = 'True'
view raw DSC_DockerSwarm.ps1 hosted with ❤ by GitHub

Deploying the DSC Config

Then we zip it all up together with the xNetworking sources and deploy it using the DSC extension on each node in the Swarm cluster. This can be done through the Portal, CLI, or Powershell module. For simplicity’s sake I just did it through the portal.

DSC Extension Installation

Once that deployment succeeds you can see the ports open in the server’s firewall.

Firewall Rules

That’s it! Not hard at all. My next experiment will be to get this DSC config deployed as part of an ARM template.

© 2020 Jesse Barocio. Built with Gatsby