Quickstart: Create a network security perimeter - Azure PowerShell

Get started with network security perimeter by creating a network security perimeter for an Azure key vault using Azure PowerShell. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.

Important

Network Security Perimeter is in public preview and available in all Azure public cloud regions. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• Registration for the Azure Network Security Perimeter public preview is required. To register, add the AllowNSPInPublicPreview feature flag to your subscription.

  For more information on adding feature flags, see Set up preview features in Azure subscription.

• After the feature flag is added, you need to re-register the Microsoft.Network resource provider in your subscription.

  • To re-register the Microsoft.Network resource provider in the Azure portal, select your subscription, and then select Resource providers. Search for Microsoft.Network and select Re-register.

    

  • To re-register the Microsoft.Network resource provider, use the following Azure PowerShell command:

  # Register the Microsoft.Network resource provider
  Register-AzResourceProvider -ProviderNamespace Microsoft.Network
  

  • To re-register the Microsoft.Network resource provider, use the following Azure CLI command:

    # Register the Microsoft.Network resource provider
    az provider register --namespace Microsoft.Network
    

  For more information on re-registering resource providers, see Azure resource providers and types.

• The latest version of the Azure PowerShell module with tools for network security perimeter.

  # Install the Az.Tools.Installer module    
  Install-Module -Name Az.Tools.Installer -Repository PSGallery
  

• Use Az.Tools.Installer to install the preview build of the Az.Network:

  # Install the preview build of the Az.Network module
  Install-Module -Name Az.Tools.Installer -Repository PSGallery -allowprerelease -force
  
  # List the current versions of the Az.Network module available in the PowerShell Gallery
  Find-Module -Name Az.Network -Allversions -AllowPrerelease
  
  # Install the preview build of the Az.Network module using the 
  
  Install-AzModule -Name Az.Network -AllowPrerelease -Force
  Install-AzModule -Path <previewVersionNumber>
  

  Note

  The preview version of the Az.Network module is required to use network security perimeter capabilities. The latest version of the Az.Network module is available in the PowerShell Gallery. Look for the newest version that ends in -preview.

• If you choose to use Azure PowerShell locally:

  • Install the latest version of the Az PowerShell module.
  • Connect to your Azure account using the Connect-AzAccount cmdlet.

• If you choose to use Azure Cloud Shell:

  • For more information on Azure Cloud Shell, see Overview of Azure Cloud Shell.

• To get help with the PowerShell cmdlets, use the Get-Help command:

  
  # Get help for a specific command
  get-help -Name <powershell-command> - full
  
  # Example
  get-help -Name New-AzNetworkSecurityPerimeter - full
  

Sign in to your Azure account and select your subscription

To begin your configuration, sign in to your Azure account:

# Sign in to your Azure account
Connect-AzAccount

Then, connect to your subscription:

# List all subscriptions
Set-AzContext -Subscription <subscriptionId>

# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network

Create a resource group and key vault

Before you can create a network security perimeter, you have to create a resource group and a key vault resource.
This example creates a resource group named test-rg in the WestCentralUS location and a key vault named demo-keyvault-<RandomValue> in the resource group with the following commands:

# Create a resource group
$rgParams = @{
    Name = "test-rg"
    Location = "westcentralus"
}
New-AzResourceGroup @rgParams

# Create a key vault
$keyVaultName = "demo-keyvault-$(Get-Random)"
$keyVaultParams = @{
    Name = $keyVaultName
    ResourceGroupName = $rgParams.Name
    Location = $rgParams.Location
}
$keyVault = New-AzKeyVault @keyVaultParams

Create a network security perimeter

In this step, create a network security perimeter with the following New-AzNetworkSecurityPerimeter command:

Note

Please do not put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.

# Create a network security perimeter
$nsp = @{ 
        Name = 'demo-nsp' 
        location = 'westcentralus' 
        ResourceGroupName = $rgParams.name  
        } 

$demoNSP=New-AzNetworkSecurityPerimeter @nsp
$nspId = $demoNSP.Id
  

Create and update PaaS resources’ association with a new profile

In this step, you create a new profile and associate the PaaS resource, the Azure Key Vault with the profile using the New-AzNetworkSecurityPerimeterProfile and New-AzNetworkSecurityPerimeterAssociation commands.

1. Create a new profile for your network security perimeter with the following command:

       # Create a new profile
   
       $nspProfile = @{ 
           Name = 'nsp-profile' 
           ResourceGroupName = $rgParams.name 
           SecurityPerimeterName = $nsp.name 
           }
   
       $demoProfileNSP=New-AzNetworkSecurityPerimeterProfile @nspprofile
   

2. Associate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following command:

       # Associate the PaaS resource with the above created profile
   
       $nspAssociation = @{ 
           AssociationName = 'nsp-association' 
           ResourceGroupName = $rgParams.name 
           SecurityPerimeterName = $nsp.name 
           AccessMode = 'Learning'  
           ProfileId = $demoProfileNSP.Id 
           PrivateLinkResourceId = $keyVault.ResourceID
           }
   
       New-AzNetworkSecurityPerimeterAssociation @nspassociation | format-list
   

3. Update association by changing the access mode to enforced with the Update-AzNetworkSecurityPerimeterAssociation command as follows:

       # Update the association to enforce the access mode
       $updateAssociation = @{ 
           AssociationName = $nspassociation.AssociationName 
           ResourceGroupName = $rgParams.name 
           SecurityPerimeterName = $nsp.name 
           AccessMode = 'Enforced'
           }
       Update-AzNetworkSecurityPerimeterAssociation @updateAssociation | format-list
   

Manage network security perimeter access rules

In this step, you create, update and delete network security perimeter access rules with public IP address prefixes.

    # Create an inbound access rule for a public IP address prefix
    $inboundRule = @{ 
        Name = 'nsp-inboundRule' 
        ProfileName = $nspprofile.Name  
        ResourceGroupName = $rgParams.Name  
        SecurityPerimeterName = $nsp.Name  
        Direction = 'Inbound'  
        AddressPrefix = '192.0.2.0/24' 
        } 

    New-AzNetworkSecurityPerimeterAccessRule @inboundrule | format-list

    # Update the inbound access rule to add more public IP address prefixes
    $updateInboundRule = @{ 
        Name = $inboundrule.Name 
        ProfileName = $nspprofile.Name  
        ResourceGroupName = $rgParams.Name  
        SecurityPerimeterName = $nsp.Name  
        AddressPrefix = @('192.0.2.0/24','198.51.100.0/24')
        }
    Update-AzNetworkSecurityPerimeterAccessRule @updateInboundRule | format-list

Note

If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.

Delete all resources

When you no longer need the network security perimeter, remove all resources associated with the network security perimeter, remove the perimeter, and then remove the resource group.

    # Retrieve the network security perimeter and place it in a variable
    $nsp= Get-AzNetworkSecurityPerimeter -Name demo-nsp -ResourceGroupName $rg.Params.Name

    # Delete the network security perimeter and all associated resources
    $removeNsp = @{ 
        Name = 'nsp-association'
        ResourceGroupName = $rgParams.Name
        SecurityPerimeterName = $nsp.Name
        }
    Remove-AzNetworkSecurityPerimeterAssociation @removeNsp
    
    Remove-AzNetworkSecurityPerimeter -Name $nsp.Name -ResourceGroupName $rgParams.Name
    
    # Remove the resource group
    Remove-AzResourceGroup -Name $rgParams.Name -Force

Note

Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.

Next steps

Diagnostic logging for Azure Network Security Perimeter