Edit

Share via


Quickstart - Create a network security perimeter - Bicep

Get started with network security perimeter by creating a network security perimeter for an Azure Key Vault using Bicep. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

You can also create a network security perimeter by using the Azure portal, Azure PowerShell, or the Azure CLI.

Important

Network Security Perimeter is in public preview and available in all Azure public cloud regions. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

Review the Bicep file

This Bicep file creates a network security perimeter for an instance of Azure Key Vault.

The Bicep file that this quickstart uses is from Azure Quickstart Templates.

param location string = resourceGroup().location
param keyVaultName string = 'kv-${uniqueString(resourceGroup().id)}'
param nspName string = 'networkSecurityPerimeter'
param profileName string = 'profile1'
param inboundIpv4AccessRuleName string = 'inboundRule'
param outboundFqdnAccessRuleName string = 'outboundRule'
param associationName string = 'networkSecurityPerimeterAssociation'

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
    name: keyVaultName
    location: location
    properties: {
        sku: {
            family: 'A'
            name: 'standard'
        }
        tenantId: subscription().tenantId
        accessPolicies: []
        enabledForDeployment: false
        enabledForDiskEncryption: false
        enabledForTemplateDeployment: false
        enableSoftDelete: true
        softDeleteRetentionInDays: 90
        enableRbacAuthorization: false
    }
}

resource networkSecurityPerimeter 'Microsoft.Network/networkSecurityPerimeters@2023-07-01-preview' = {
    name: nspName
    location: location
    properties: {}
}

resource profile 'Microsoft.Network/networkSecurityPerimeters/profiles@2023-07-01-preview' = {
    parent: networkSecurityPerimeter
    name: profileName
    location: location
    properties: {}
}

resource inboundAccessRule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-07-01-preview' = {
    parent: profile
    name: inboundIpv4AccessRuleName
    location: location
    properties: {
        direction: 'Inbound'
        addressPrefixes: [
            '100.10.0.0/16'
        ]
        fullyQualifiedDomainNames: []
        subscriptions: []
        emailAddresses: []
        phoneNumbers: []
    }
}

resource outboundAccessRule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-07-01-preview' = {
    parent: profile
    name: outboundFqdnAccessRuleName
    location: location
    properties: {
        direction: 'Outbound'
        addressPrefixes: []
        fullyQualifiedDomainNames: [
            'contoso.com'
        ]
        subscriptions: []
        emailAddresses: []
        phoneNumbers: []
    }
}

resource resourceAssociation 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-07-01-preview' = {
    parent: networkSecurityPerimeter
    name: associationName
    location: location
    properties: {
        privateLinkResource: {
            id: keyVault.id
        }
        profile: {
            id: profile.id
        }
        accessMode: 'Enforced'
    }
}

The Bicep file defines multiple Azure resources:

Deploy the Bicep file

  1. Save the Bicep file as main.bicep to your local computer.

  2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

    az group create --name resource-group --location eastus
    az deployment group create --resource-group resource-group --template-file main.bicep --parameters
    networkSecurityPerimeterName=<network-security-perimeter-name>
    

Validate the deployment

  1. Sign into the Azure portal.
  2. Enter Network security perimeter in the search box at the top of the portal. Select Network security perimeters in the search results.
  3. Select the networkPerimeter resource from the list of network security perimeters.
  4. Verify that the networkPerimeter resource is created successfully. The Overview page shows the details of the network security perimeter, including the profiles and associated resources.

Clean up resources

When you no longer need the resources that you created with the network security perimeter service, delete the resource group. This removes the network security perimeter service and all the related resources.

az group delete --name resource-group

Note

Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.

Next steps