This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Get started with network security perimeter by creating a network security perimeter for an Azure key vault using Azure PowerShell. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Important
Network Security Perimeter is in public preview and available in all Azure public cloud regions. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Registration for the Azure Network Security Perimeter public preview is required. To register, add the AllowNSPInPublicPreview feature flag to your subscription.
For more information on adding feature flags, see Set up preview features in Azure subscription.
After the feature flag is added, you need to re-register the Microsoft.Network resource provider in your subscription.
To re-register the Microsoft.Network resource provider in the Azure portal, select your subscription, and then select Resource providers. Search for Microsoft.Network and select Re-register.
To re-register the Microsoft.Network resource provider, use the following Azure PowerShell command:
# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
To re-register the Microsoft.Network resource provider, use the following Azure CLI command:
# Register the Microsoft.Network resource provider
az provider register --namespace Microsoft.Network
For more information on re-registering resource providers, see Azure resource providers and types.
Install the Az.Tools.Installer module:
# Install the Az.Tools.Installer module
Install-Module -Name Az.Tools.Installer -Repository PSGallery
Install the preview build of the Az.Network:
# Install the preview build of the Az.Network module
Install-Module -Name Az.Network -AllowPrerelease -Force -RequiredVersion 7.13.0-preview
You can choose to use Azure PowerShell locally or use Azure Cloud Shell.
To get help with the PowerShell cmdlets, use the Get-Help command:
# Get help for a specific command
Get-Help -Name <powershell-command> - full
# Example
Get-Help -Name New-AzNetworkSecurityPerimeter - full
To begin your configuration, sign in to your Azure account:
# Sign in to your Azure account
Connect-AzAccount
Then, connect to your subscription:
# List all subscriptions
Set-AzContext -Subscription <subscriptionId>
# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Before you can create a network security perimeter, you have to create a resource group and a key vault resource.
This example creates a resource group named test-rg in the WestCentralUS location and a key vault named demo-keyvault-<RandomValue> in the resource group with the following commands:
# Create a resource group
$rgParams = @{
Name = "test-rg"
Location = "westcentralus"
}
New-AzResourceGroup @rgParams
# Create a key vault
$keyVaultName = "demo-keyvault-$(Get-Random)"
$keyVaultParams = @{
Name = $keyVaultName
ResourceGroupName = $rgParams.Name
Location = $rgParams.Location
}
$keyVault = New-AzKeyVault @keyVaultParams
In this step, create a network security perimeter with the following New-AzNetworkSecurityPerimeter command:
Note
Please do not put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.
# Create a network security perimeter
$nsp = @{
Name = 'demo-nsp'
location = 'westcentralus'
ResourceGroupName = $rgParams.name
}
$demoNSP=New-AzNetworkSecurityPerimeter @nsp
$nspId = $demoNSP.Id
In this step, you create a new profile and associate the PaaS resource, the Azure Key Vault with the profile using the New-AzNetworkSecurityPerimeterProfile and New-AzNetworkSecurityPerimeterAssociation commands.
Create a new profile for your network security perimeter with the following command:
# Create a new profile
$nspProfile = @{
Name = 'nsp-profile'
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
}
$demoProfileNSP=New-AzNetworkSecurityPerimeterProfile @nspprofile
Associate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following command:
# Associate the PaaS resource with the above created profile
$nspAssociation = @{
AssociationName = 'nsp-association'
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
AccessMode = 'Learning'
ProfileId = $demoProfileNSP.Id
PrivateLinkResourceId = $keyVault.ResourceID
}
New-AzNetworkSecurityPerimeterAssociation @nspassociation | format-list
Update association by changing the access mode to enforced with the Update-AzNetworkSecurityPerimeterAssociation command as follows:
# Update the association to enforce the access mode
$updateAssociation = @{
AssociationName = $nspassociation.AssociationName
ResourceGroupName = $rgParams.name
SecurityPerimeterName = $nsp.name
AccessMode = 'Enforced'
}
Update-AzNetworkSecurityPerimeterAssociation @updateAssociation | format-list
In this step, you create, update and delete network security perimeter access rules with public IP address prefixes.
# Create an inbound access rule for a public IP address prefix
$inboundRule = @{
Name = 'nsp-inboundRule'
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
Direction = 'Inbound'
AddressPrefix = '192.0.2.0/24'
}
New-AzNetworkSecurityPerimeterAccessRule @inboundrule | format-list
# Update the inbound access rule to add more public IP address prefixes
$updateInboundRule = @{
Name = $inboundrule.Name
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
AddressPrefix = @('192.0.2.0/24','198.51.100.0/24')
}
Update-AzNetworkSecurityPerimeterAccessRule @updateInboundRule | format-list
Note
If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.
When you no longer need the network security perimeter, remove all resources associated with the network security perimeter, remove the perimeter, and then remove the resource group.
# Retrieve the network security perimeter and place it in a variable
$nsp= Get-AzNetworkSecurityPerimeter -Name demo-nsp -ResourceGroupName $rg.Params.Name
# Delete the network security perimeter and all associated resources
$removeNsp = @{
Name = 'nsp-association'
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
}
Remove-AzNetworkSecurityPerimeterAssociation @removeNsp
Remove-AzNetworkSecurityPerimeter -Name $nsp.Name -ResourceGroupName $rgParams.Name
# Remove the resource group
Remove-AzResourceGroup -Name $rgParams.Name -Force
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.
Training
Module
Configure Azure Key Vault networking settings - Training
Learn to configure Azure Key Vault networking settings via the Azure portal, enabling secure access control to your vault, protecting sensitive keys and secrets.
Certification
Microsoft Certified: Azure Security Engineer Associate - Certifications
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.
Documentation
Quickstart - Create a network security perimeter - Azure CLI
Learn how to create a network security perimeter for an Azure resource using Azure CLI. This example demonstrates the creation of a network security perimeter for an Azure Key Vault.
Diagnostic logs for Network Security Perimeter
Learn the options for storing diagnostic logs for Network Security Perimeter and how to enable logging through the Azure portal.
Quickstart - Create a network security perimeter - Azure portal
Learn how to create a network security perimeter for an Azure resource using the Azure portal. This example demonstrates the creation of a network security perimeter for an Azure Key Vault.