Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Get started with network security perimeter by creating a network security perimeter for an Azure Key Vault using Azure CLI. A network security perimeter allows Azure PaaS (PaaS)resources to communicate within an explicit trusted boundary. Next, You create and update a PaaS resources association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Important
Network security perimeter is now generally available in the following regions of Azure operated by 21Vianet. For information on supported services, see Onboarded private link resources for supported PaaS services."
- China East 2
- China North 2
- China North 3
Prerequisites
An Azure account with an active subscription. Create a trial subscription.
The latest Azure CLI.
- This article requires version 2.38.0 or later of the Azure CLI.
After upgrading to the latest version of Azure CLI, import the network security perimeter commands using
az extension add --name nsp.
Connect to your Azure account and select your subscription
To get started, use your local CLI environment.
If you installed CLI locally, sign in with the following command:
# Sign in to your Azure account az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.Once in your shell, select your active subscription locally with the following command:
# List all subscriptions az account set --subscription <Azure Subscription> # Re-register the Microsoft.Network resource provider az provider register --namespace Microsoft.Network
Create a resource group and key vault
Before you can create a network security perimeter, you have to create a resource group and a key vault resource with az group create and az keyvault create.
This example creates a resource group named resource-group in the chinaeast2 location and a key vault named key-vault-YYYYDDMM in the resource group with the following commands:
az group create \
--name resource-group \
--location chinaeast2
# Create a key vault using a datetime value to ensure a unique name
key_vault_name="key-vault-$(date +%s)"
az keyvault create \
--name $key_vault_name \
--resource-group resource-group \
--location chinaeast2 \
--query 'id' \
--output tsv
Create a network security perimeter
In this step, create a network security perimeter with the az network perimeter create command.
Note
Please don't put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.
az network perimeter create\
--name network-security-perimeter \
--resource-group resource-group \
-l chinaeast2
Create and update PaaS resources' association with a new profile
In this step, you create a new profile and associate the PaaS resource, the Azure Key Vault with the profile using the az network perimeter profile create and az network perimeter association create commands.
Note
For the --private-link-resource and --profile parameter values, replace <PaaSArmId> and <networkSecurityPerimeterProfileId> with the values for the key vault and the profile ID, respectively.
Create a new profile for your network security perimeter with the following command:
# Create a new profile az network perimeter profile create \ --name network-perimeter-profile \ --resource-group resource-group \ --perimeter-name network-security-perimeterAssociate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following commands.
# Get key vault id az keyvault show \ --name $key_vault_name \ --resource-group resource-group \ --query 'id' # Get the profile id az network perimeter profile show \ --name network-perimeter-profile \ --resource-group resource-group \ --perimeter-name network-security-perimeter # Associate the Azure Key Vault with the network security perimeter profile # Replace <PaaSArmId> and <networkSecurityPerimeterProfileId> with the ID values for your key vault and profile az network perimeter association create \ --name network-perimeter-association \ --perimeter-name network-security-perimeter \ --resource-group resource-group \ --access-mode Learning \ --private-link-resource "{id:<PaaSArmId>}" \ --profile "{id:<networkSecurityPerimeterProfileId>}"Update association by changing the access mode to enforced with the az network perimeter association create command as follows:
az network perimeter association create \ --name network-perimeter-association \ --perimeter-name network-security-perimeter \ --resource-group resource-group \ --access-mode Enforced \ --private-link-resource "{id:<PaaSArmId>}" \ --profile "{id:<networkSecurityPerimeterProfileId>}"
Manage network security perimeter access rules
In this step, you create, update, and delete a network security perimeter access rules with Public IP prefixes using the az network perimeter profile access-rule create command.
Create an inbound access rule with a Public IP prefix for the profile created with the following command:
# Create an inbound access rule az network perimeter profile access-rule create \ --name access-rule \ --profile-name network-perimeter-profile \ --perimeter-name network-security-perimeter \ --resource-group resource-group \ --address-prefixes "[192.0.2.0/24]"Update your inbound access rule with another Public IP prefix with the following command:
# Update the inbound access rule az network perimeter profile access-rule create\ --name access-rule \ --profile-name network-perimeter-profile \ --perimeter-name network-security-perimeter \ --resource-group resource-group \ --address-prefixes "['198.51.100.0/24', '192.0.2.0/24']"If you need to delete an access rule, use the az network perimeter profile access-rule delete command:
# Delete the access rule az network perimeter profile access-rule delete \ --Name network-perimeter-association \ --profile-name network-perimeter-profile \ --perimeter-name network-security-perimeter \ --resource-group resource-group
Note
If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.
Delete all resources
To delete a network security perimeter and other resources in this quickstart, use the following az network perimeter commands:
# Delete the network security perimeter association
az network perimeter association delete \
--name network-perimeter-association \
--resource-group resource-group \
--perimeter-name network-security-perimeter
# Delete the network security perimeter
az network perimeter delete \
--resource-group resource-group \
--name network-security-perimeter --yes
# Delete the key vault
az keyvault delete \
--name $key_vault_name \
--resource-group resource-group
# Delete the resource group
az group delete \
--name resource-group \
--yes \
--no-wait
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.