Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Get started with network security perimeter by creating a network security perimeter for an Azure Key Vault using Bicep. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
You can also create a network security perimeter by using the Azure portal, Azure PowerShell, or the Azure CLI.
Important
Network Security Perimeter is in public preview and available in all Azure public cloud regions. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Prerequisites
- An Azure account with an active subscription. If you don't already have an Azure account, create an account for free.
Review the Bicep file
This Bicep file creates a network security perimeter for an instance of Azure Key Vault.
The Bicep file that this quickstart uses is from Azure Quickstart Templates.
param location string = resourceGroup().location
param keyVaultName string = 'kv-${uniqueString(resourceGroup().id)}'
param nspName string = 'networkSecurityPerimeter'
param profileName string = 'profile1'
param inboundIpv4AccessRuleName string = 'inboundRule'
param outboundFqdnAccessRuleName string = 'outboundRule'
param associationName string = 'networkSecurityPerimeterAssociation'
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
accessPolicies: []
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
enableSoftDelete: true
softDeleteRetentionInDays: 90
enableRbacAuthorization: false
}
}
resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-07-01-preview' = {
name: nspName
location: location
properties: {}
}
resource profile 'Microsoft.Network/networkSecurityPerimeters/profiles@2023-07-01-preview' = {
parent: networkSecurityPerimeter
name: profileName
location: location
properties: {}
}
resource inboundAccessRule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-07-01-preview' = {
parent: profile
name: inboundIpv4AccessRuleName
location: location
properties: {
direction: 'Inbound'
addressPrefixes: [
'100.10.0.0/16'
]
fullyQualifiedDomainNames: []
subscriptions: []
emailAddresses: []
phoneNumbers: []
}
}
resource outboundAccessRule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-07-01-preview' = {
parent: profile
name: outboundFqdnAccessRuleName
location: location
properties: {
direction: 'Outbound'
addressPrefixes: []
fullyQualifiedDomainNames: [
'contoso.com'
]
subscriptions: []
emailAddresses: []
phoneNumbers: []
}
}
resource resourceAssociation 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-07-01-preview' = {
parent: networkSecurityPerimeter
name: associationName
location: location
properties: {
privateLinkResource: {
id: keyVault.id
}
profile: {
id: profile.id
}
accessMode: 'Enforced'
}
}
The Bicep file defines multiple Azure resources:
- Microsoft.KeyVault/vaults: The instance of Key Vault with the sample database.
- Microsoft.Network/networkSecurityPerimeters: The network security perimeter that you use to access the instance of Key Vault.
- Microsoft.Network/networkSecurityPerimeters/profiles: The network security perimeter profile that you use to access the instance of Key Vault.
- Microsoft.Network/networkSecurityPerimeters/profiles/accessRules: The access rules that you use to access the instance of Key Vault.
- Microsoft.Network/networkSecurityPerimeters/resourceAssociations: The resource associations that you use to access the instance of Key Vault.
Deploy the Bicep file
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name resource-group --location eastus az deployment group create --resource-group resource-group --template-file main.bicep --parameters networkSecurityPerimeterName=<network-security-perimeter-name>
Validate the deployment
- Sign into the Azure portal.
- Enter Network security perimeter in the search box at the top of the portal. Select Network security perimeters in the search results.
- Select the networkPerimeter resource from the list of network security perimeters.
- Verify that the networkPerimeter resource is created successfully. The Overview page shows the details of the network security perimeter, including the profiles and associated resources.
Clean up resources
When you no longer need the resources that you created with the network security perimeter service, delete the resource group. This removes the network security perimeter service and all the related resources.
az group delete --name resource-group
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.