Azure Network Security Perimeter is one of the new features announced by Microsoft during the MS Ignite 2024 in Chicago.
Network Security Perimeter (or NSP) aims to offer public-faced PaaS services the equivalent of Network Security Group for IaaS. The NSP restricts inbound and outbound network access to pass services, and like NSG access can be logged.
The service is in preview and is only available in some US regions (East US, East US 2, North Central US, South Central US, West US, and West US 2). It is limited to a set of Azure services, Azure Monitor, Azure AI Search, Cosmo DB, Event Hubs, Key Vault, SQL DB, and Storage account.
The NSP itself acts as a container, it contains one or several profiles, and these profiles contain one or several rules and are associated with one or more PaaS resources. These rules define the traffic behavior.
A PaaS service can be associated with two modes, learning mode and enforcement mode.
Let’s try to make it work for a simple scenario by using a storage account, a key vault, and an Azure Function. The Azure Function can send data to the storage account and access the Key vault.
The first step is to register the preview feature.
Check first if the feature is registered.
Get-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network"
If not, register it.
Register-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network"
Then you need to re-register the Microsoft.Network provider in the subscription
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
The next step is to update the az.network PowerShell module. To Find the latest version of the az.network module.
Find-Module -Name Az.Network -Allversions -AllowPrerelease
In my case, it was the 7.7.1-preview
Install-Module -Name Az.Network -AllowPrerelease -Force -RequiredVersion 7.7.1-preview
After that, you can import the module, but it is better to open a new shell.
import-Module Az.network -MinimumVersion "7.7.1"
You need to test if new cmdlets for NSP are loaded.
get-help new-AzNetworkSecurityPerimeter
The next step is to create a new NSP.
$demoNSP = New-AzNetworkSecurityPerimeter -Name demoNSP -Location westus2 -ResourceGroupName 02-testnetperimeter
Then we need to create a profile in the new NSP.
$demoProfileNSP = New-AzNetworkSecurityPerimeterProfile -name dmoprofile -ResourceGroupName 02-testnetperimeter -SecurityPerimeterName demoNSP
Now, we need to associate resources with this profile. Let’s begin with the storage account and key vault.
$vaultId = "/subscriptions/XXXXXX"
New-AzNetworkSecurityPerimeterAssociation -AssociationName nsp-keyvault -ResourceGroupName "02-testnetperimeter" -SecurityPerimeterName $demoNSP.name -ProfileId $demoProfileNSP.id -PrivateLinkResourceId $vaultId -AccessMode Enforced
$storageAccountID = "/subscriptions/XXXXXX"
New-AzNetworkSecurityPerimeterAssociation -AssociationName nsp-storage -ResourceGroupName "02-testnetperimeter" -SecurityPerimeterName $demoNSP.name -ProfileId $demoProfileNSP.id -PrivateLinkResourceId $storageAccountID -AccessMode Enforced
If we look at the NSP in the Azure portal, we will see that both resources are added to the profile, but there is a warning for the storage account.
The access mode is enforced so only traffic inside the perimeter is allowed unless a rule is added.
The Azure Function app cannot access the key vault and the storage account. The same, if you try to get data from the storage account or the key vault from the portal you have an error.
An Access rule needs to be added. The inbound access rule has two options: IP address range or by subscription.
To add one or more subscriptions to an inbound rule, the New-AzNetworkSecurityPerimeterAccessRule cmdlet as a parameter Subscription that requires a special type System.Collections.Generic.List1[Microsoft.Azure.PowerShell.Cmdlets.NetworkSecurityPerimeter.Models.ISubscriptionId].
$subID1 = @{ "ID" = "/subscriptions/a3cefae9-XXX"}
$subID2 = @{ "ID" = "/subscriptions/6429c9df-XXX"}
$subIDList = [System.Collections.Generic.List[Microsoft.Azure.PowerShell.Cmdlets.NetworkSecurityPerimeter.Models.ISubscriptionId]]::new()
$subIDList.Add($subID1)
$subIDList.Add($subID2)
New-AzNetworkSecurityPerimeterAccessRule -Name "allowSubscription" -ResourceGroupName "02-testnetperimeter" -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "Inbound" -Subscription $subIDList
After that, the Function will access the key vault and the storage account.
In the same way, we can manage outbound access from PaaS services. In network security perimeter, you can only assign email addresses (this feature is not yet implemented) or FQDNs
For FQDNs
New-AzNetworkSecurityPerimeterAccessRule -Name "outboundFQDN" -ResourceGroupName "02-testnetperimeter" -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "outbound" -FullyQualifiedDomainName @("wwww.test.com", "www.test.net")
For Emails (my trigger an error)
New-AzNetworkSecurityPerimeterAccessRule -Name "outbounEmails" -ResourceGroupName "02-testnetperimeter" -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "outbound" -EmailAddress @("test@test.com")
Top comments (2)
Do you have an idea when this feature comes to the Switzerland regions?
First 2025's quarter for Europe I guess