Quickstart: Create a network security perimeter - Azure PowerShell
Article
Get started with network security perimeter by creating a network security perimeter for an Azure key vault using Azure PowerShell. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Important
Network Security Perimeter is in public preview and available in all Azure public cloud regions.
This preview version is provided without a service level agreement, and it's not recommended for production workloads.
Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Registration for the Azure Network Security Perimeter public preview is required. To register, add the AllowNSPInPublicPreview feature flag to your subscription.
After the feature flag is added, you need to re-register the Microsoft.Network resource provider in your subscription.
To re-register the Microsoft.Network resource provider in the Azure portal, select your subscription, and then select Resource providers. Search for Microsoft.Network and select Re-register.
To re-register the Microsoft.Network resource provider, use the following Azure PowerShell command:
# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
To re-register the Microsoft.Network resource provider, use the following Azure CLI command:
# Register the Microsoft.Network resource provider
az provider register --namespace Microsoft.Network
The latest version of the Azure PowerShell module with tools for network security perimeter.
# Install the Az.Tools.Installer module
Install-Module -Name Az.Tools.Installer -Repository PSGallery
Use Az.Tools.Installer to install the preview build of the Az.Network:
# Install the preview build of the Az.Network module
Install-Module -Name Az.Tools.Installer -Repository PSGallery -allowprerelease -force
# List the current versions of the Az.Network module available in the PowerShell Gallery
Find-Module -Name Az.Network -Allversions -AllowPrerelease
# Install the preview build of the Az.Network module using the
Install-AzModule -Name Az.Network -AllowPrerelease -Force
Install-AzModule -Path <previewVersionNumber>
Note
The preview version of the Az.Network module is required to use network security perimeter capabilities. The latest version of the Az.Network module is available in the PowerShell Gallery. Look for the newest version that ends in -preview.
To get help with the PowerShell cmdlets, use the Get-Help command:
# Get help for a specific command
get-help -Name <powershell-command> - full
# Example
get-help -Name New-AzNetworkSecurityPerimeter - full
Sign in to your Azure account and select your subscription
To begin your configuration, sign in to your Azure account:
# Sign in to your Azure account
Connect-AzAccount
Then, connect to your subscription:
# List all subscriptions
Set-AzContext -Subscription <subscriptionId>
# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Create a resource group and key vault
Before you can create a network security perimeter, you have to create a resource group and a key vault resource.
This example creates a resource group named test-rg in the WestCentralUS location and a key vault named demo-keyvault-<RandomValue> in the resource group with the following commands:
# Create a resource group
$rgParams = @{
Name = "test-rg"
Location = "westcentralus"
}
New-AzResourceGroup @rgParams
# Create a key vault
$keyVaultName = "demo-keyvault-$(Get-Random)"
$keyVaultParams = @{
Name = $keyVaultName
ResourceGroupName = $rgParams.Name
Location = $rgParams.Location
}
$keyVault = New-AzKeyVault @keyVaultParams
Create a network security perimeter
In this step, create a network security perimeter with the following New-AzNetworkSecurityPerimeter command:
Note
Please do not put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.
Create and update PaaS resources’ association with a new profile
In this step, you create a new profile and associate the PaaS resource, the Azure Key Vault with the profile using the New-AzNetworkSecurityPerimeterProfile and New-AzNetworkSecurityPerimeterAssociation commands.
Create a new profile for your network security perimeter with the following command:
# Create a new profile
$nspProfile = @{
Name = 'nsp-profile'
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
}
$demoProfileNSP=New-AzNetworkSecurityPerimeterProfile @nspprofile
Associate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following command:
# Associate the PaaS resource with the above created profile
$nspAssociation = @{
AssociationName = 'nsp-association'
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
AccessMode = 'Learning'
ProfileId = $demoProfileNSP.Id
PrivateLinkResourceId = $keyVault.ResourceID
}
New-AzNetworkSecurityPerimeterAssociation @nspassociation | format-list
Update association by changing the access mode to enforced with the Update-AzNetworkSecurityPerimeterAssociation command as follows:
# Update the association to enforce the access mode
$updateAssociation = @{
AssociationName = $nspassociation.AssociationName
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
AccessMode = 'Enforced'
}
Update-AzNetworkSecurityPerimeterAssociation @updateAssociation | format-list
Manage network security perimeter access rules
In this step, you create, update and delete network security perimeter access rules with public IP address prefixes.
# Create an inbound access rule for a public IP address prefix
$inboundRule = @{
Name = 'nsp-inboundRule'
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
Direction = 'Inbound'
AddressPrefix = '192.0.2.0/24'
}
New-AzNetworkSecurityPerimeterAccessRule @inboundrule | format-list
# Update the inbound access rule to add more public IP address prefixes
$updateInboundRule = @{
Name = $inboundrule.Name
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
AddressPrefix = @('192.0.2.0/24','198.51.100.0/24')
}
Update-AzNetworkSecurityPerimeterAccessRule @updateInboundRule | format-list
Note
If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.
Delete all resources
When you no longer need the network security perimeter, remove all resources associated with the network security perimeter, remove the perimeter, and then remove the resource group.
# Retrieve the network security perimeter and place it in a variable
$nsp= Get-AzNetworkSecurityPerimeter -Name demo-nsp -ResourceGroupName $rg.Params.Name
# Delete the network security perimeter and all associated resources
$removeNsp = @{
Name = 'nsp-association'
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
}
Remove-AzNetworkSecurityPerimeterAssociation @removeNsp
Remove-AzNetworkSecurityPerimeter -Name $nsp.Name -ResourceGroupName $rgParams.Name
# Remove the resource group
Remove-AzResourceGroup -Name $rgParams.Name -Force
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.
Learn to configure Azure Key Vault networking settings via the Azure portal, enabling secure access control to your vault, protecting sensitive keys and secrets.