Quickstart: Create a network security perimeter - Azure CLI
Article
Get started with network security perimeter by creating a network security perimeter for an Azure key vault using Azure CLI. A network security perimeter allows Azure PaaS (PaaS)resources to communicate within an explicit trusted boundary. Next, You create and update a PaaS resources association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Important
Network Security Perimeter is in public preview and available in all Azure public cloud regions.
This preview version is provided without a service level agreement, and it's not recommended for production workloads.
Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Registration for the Azure Network Security Perimeter public preview is required. To register, add the AllowNSPInPublicPreview feature flag to your subscription.
After the feature flag is added, you need to re-register the Microsoft.Network resource provider in your subscription.
To re-register the Microsoft.Network resource provider in the Azure portal, select your subscription, and then select Resource providers. Search for Microsoft.Network and select Re-register.
To re-register the Microsoft.Network resource provider, use the following Azure PowerShell command:
Azure PowerShell
# Register the Microsoft.Network resource providerRegister-AzResourceProvider -ProviderNamespace Microsoft.Network
To re-register the Microsoft.Network resource provider, use the following Azure CLI command:
Azure CLI
# Register the Microsoft.Network resource provideraz provider register --namespace Microsoft.Network
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Connect to your Azure account and select your subscription
To get started, connect to Azure Cloud Shell or use your local CLI environment.
If using Azure Cloud Shell, sign in and select your subscription.
If you installed CLI locally, sign in with the following command:
Azure CLI
# Sign in to your Azure accountaz login
Once in your shell, select your active subscription locally with the following command:
Azure CLI
# List all subscriptionsaz account set --subscription<Azure Subscription># Re-register the Microsoft.Network resource provideraz provider register --namespace Microsoft.Network
Create a resource group and key vault
Before you can create a network security perimeter, you have to create a resource group and a key vault resource with az group create and az keyvault create.
This example creates a resource group named resource-group in the WestCentralUS location and a key vault named key-vault-YYYYDDMM in the resource group with the following commands:
Azure CLI
az group create \
--name resource-group \
--location westcentralus
# Create a key vault using a datetime value to ensure a unique namekey_vault_name="key-vault-$(date +%s)"az keyvault create \
--name$key_vault_name \
--resource-group resource-group \
--location westcentralus \
--query'id' \
--output tsv
Please don't put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.
For the --private-link-resource and --profile parameter values, replace <PaaSArmId> and <networkSecurityPerimeterProfileId> with the values for the key vault and the profile ID, respectively.
Create a new profile for your network security perimeter with the following command:
Azure CLI
# Create a new profileaz network perimeter profile create \
--name network-perimeter-profile \
--resource-group resource-group \
--perimeter-name network-security-perimeter
Associate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following commands.
Azure CLI
# Get key vault idaz keyvault show \
--name$key_vault_name \
--resource-group resource-group \
--query'id'# Get the profile idaz network perimeter profile show \
--name network-perimeter-profile \
--resource-group resource-group \
--perimeter-name network-security-perimeter# Associate the Azure Key Vault with the network security perimeter profile# Replace <PaaSArmId> and <networkSecurityPerimeterProfileId> with the ID values for your key vault and profileaz network perimeter association create \
--name network-perimeter-association \
--perimeter-name network-security-perimeter \
--resource-group resource-group \
--access-mode Learning \
--private-link-resource"{id:<PaaSArmId>}" \
--profile"{id:<networkSecurityPerimeterProfileId>}"
# Delete the access rule
az network perimeter profile access-rule delete \
--Namenetwork-perimeter-association \
--profile-namenetwork-perimeter-profile \
--perimeter-namenetwork-security-perimeter \
--resource-groupresource-group
Note
If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.
Delete all resources
To delete a network security perimeter and other resources in this quickstart, use the following az network perimeter commands:
Azure CLI
# Delete the network security perimeter association
az network perimeter association delete \
--name network-perimeter-association \
--resource-group resource-group \
--perimeter-name network-security-perimeter# Delete the network security perimeter
az network perimeter delete \
--resource-group resource-group \
--name network-security-perimeter--yes# Delete the key vault
az keyvault delete \
--name$key_vault_name \
--resource-group resource-group# Delete the resource group
az group delete \
--name resource-group \
--yes \
--no-wait
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.
Learn to configure Azure Key Vault networking settings via the Azure portal, enabling secure access control to your vault, protecting sensitive keys and secrets.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.