DEV Community

Cover image for Set up Azure Network Security Perimeter with PowerShell
Olivier Miossec
Olivier Miossec

Posted on

6 1

Set up Azure Network Security Perimeter with PowerShell

Azure Network Security Perimeter is one of the new features announced by Microsoft during the MS Ignite 2024 in Chicago.

Network Security Perimeter (or NSP) aims to offer public-faced PaaS services the equivalent of Network Security Group for IaaS. The NSP restricts inbound and outbound network access to pass services, and like NSG access can be logged.

The service is in preview and is only available in some US regions (East US, East US 2, North Central US, South Central US, West US, and West US 2). It is limited to a set of Azure services, Azure Monitor, Azure AI Search, Cosmo DB, Event Hubs, Key Vault, SQL DB, and Storage account.

The NSP itself acts as a container, it contains one or several profiles, and these profiles contain one or several rules and are associated with one or more PaaS resources. These rules define the traffic behavior.

A PaaS service can be associated with two modes, learning mode and enforcement mode.

Let’s try to make it work for a simple scenario by using a storage account, a key vault, and an Azure Function. The Azure Function can send data to the storage account and access the Key vault.

The first step is to register the preview feature.

Check first if the feature is registered.

Get-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network"
Enter fullscreen mode Exit fullscreen mode

If not, register it.

Register-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network"
Enter fullscreen mode Exit fullscreen mode

Then you need to re-register the Microsoft.Network provider in the subscription

Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Enter fullscreen mode Exit fullscreen mode

The next step is to update the az.network PowerShell module. To Find the latest version of the az.network module.

Find-Module -Name Az.Network -Allversions -AllowPrerelease
Enter fullscreen mode Exit fullscreen mode

In my case, it was the 7.7.1-preview

Install-Module -Name Az.Network -AllowPrerelease -Force -RequiredVersion 7.7.1-preview 
Enter fullscreen mode Exit fullscreen mode

After that, you can import the module, but it is better to open a new shell.

import-Module Az.network -MinimumVersion "7.7.1"
Enter fullscreen mode Exit fullscreen mode

You need to test if new cmdlets for NSP are loaded.

get-help new-AzNetworkSecurityPerimeter
Enter fullscreen mode Exit fullscreen mode

The next step is to create a new NSP.

$demoNSP = New-AzNetworkSecurityPerimeter -Name demoNSP -Location westus2 -ResourceGroupName 02-testnetperimeter
Enter fullscreen mode Exit fullscreen mode

Then we need to create a profile in the new NSP.

$demoProfileNSP = New-AzNetworkSecurityPerimeterProfile -name dmoprofile -ResourceGroupName 02-testnetperimeter -SecurityPerimeterName demoNSP 
Enter fullscreen mode Exit fullscreen mode

Now, we need to associate resources with this profile. Let’s begin with the storage account and key vault.

$vaultId = "/subscriptions/XXXXXX"

New-AzNetworkSecurityPerimeterAssociation -AssociationName nsp-keyvault  -ResourceGroupName "02-testnetperimeter" -SecurityPerimeterName $demoNSP.name -ProfileId $demoProfileNSP.id -PrivateLinkResourceId  $vaultId -AccessMode Enforced

$storageAccountID = "/subscriptions/XXXXXX"

New-AzNetworkSecurityPerimeterAssociation -AssociationName nsp-storage  -ResourceGroupName "02-testnetperimeter" -SecurityPerimeterName $demoNSP.name -ProfileId $demoProfileNSP.id -PrivateLinkResourceId $storageAccountID -AccessMode Enforced
Enter fullscreen mode Exit fullscreen mode

If we look at the NSP in the Azure portal, we will see that both resources are added to the profile, but there is a warning for the storage account.

Image description

Image description

The access mode is enforced so only traffic inside the perimeter is allowed unless a rule is added.

The Azure Function app cannot access the key vault and the storage account. The same, if you try to get data from the storage account or the key vault from the portal you have an error.

An Access rule needs to be added. The inbound access rule has two options: IP address range or by subscription.

To add one or more subscriptions to an inbound rule, the New-AzNetworkSecurityPerimeterAccessRule cmdlet as a parameter Subscription that requires a special type System.Collections.Generic.List1[Microsoft.Azure.PowerShell.Cmdlets.NetworkSecurityPerimeter.Models.ISubscriptionId].

$subID1 =  @{ "ID" = "/subscriptions/a3cefae9-XXX"}

$subID2 =  @{ "ID" = "/subscriptions/6429c9df-XXX"}

$subIDList = [System.Collections.Generic.List[Microsoft.Azure.PowerShell.Cmdlets.NetworkSecurityPerimeter.Models.ISubscriptionId]]::new()

$subIDList.Add($subID1)
$subIDList.Add($subID2)


New-AzNetworkSecurityPerimeterAccessRule -Name "allowSubscription" -ResourceGroupName "02-testnetperimeter"  -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "Inbound" -Subscription $subIDList
Enter fullscreen mode Exit fullscreen mode

After that, the Function will access the key vault and the storage account.

In the same way, we can manage outbound access from PaaS services. In network security perimeter, you can only assign email addresses (this feature is not yet implemented) or FQDNs

For FQDNs

New-AzNetworkSecurityPerimeterAccessRule -Name "outboundFQDN" -ResourceGroupName "02-testnetperimeter"  -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "outbound"  -FullyQualifiedDomainName @("wwww.test.com", "www.test.net")
Enter fullscreen mode Exit fullscreen mode

For Emails (my trigger an error)

New-AzNetworkSecurityPerimeterAccessRule -Name "outbounEmails" -ResourceGroupName "02-testnetperimeter"  -ProfileName $demoProfileNSP.name -SecurityPerimeterName $demoNSP.name -Direction "outbound" -EmailAddress @("test@test.com")
Enter fullscreen mode Exit fullscreen mode

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (2)

Collapse
 
latzo profile image
Marco Platzer

Do you have an idea when this feature comes to the Switzerland regions?

Collapse
 
omiossec profile image
Olivier Miossec

First 2025's quarter for Europe I guess

Heroku

Simplify your DevOps and maximize your time.

Since 2007, Heroku has been the go-to platform for developers as it monitors uptime, performance, and infrastructure concerns, allowing you to focus on writing code.

Learn More

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay