Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Get started with network security perimeter by creating a network security perimeter for an Azure Key Vault using Azure PowerShell. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.
Important
Network security perimeter is now generally available in the following regions of Azure operated by 21Vianet. For information on supported services, see Onboarded private link resources for supported PaaS services."
- China East 2
- China North 2
- China North 3
Prerequisites
An Azure account with an active subscription. Create a trial subscription.
Install the Az.Tools.Installer module:
# Install the Az.Tools.Installer module Install-Module -Name Az.Tools.Installer -Repository PSGalleryInstall the preview build of the
Az.Network:# Install the preview build of the Az.Network module Install-Module -Name Az.Network -AllowPrerelease -Force -RequiredVersion 7.13.0-previewYou can choose to use Azure PowerShell locally
To get help with the PowerShell cmdlets, use the
Get-Helpcommand:# Get help for a specific command Get-Help -Name <powershell-command> - full # Example Get-Help -Name New-AzNetworkSecurityPerimeter - full
Sign in to your Azure account and select your subscription
To begin your configuration, sign in to your Azure account:
# Sign in to your Azure account
Connect-AzAccount -Environment AzureChinaCloud
Then, connect to your subscription:
# List all subscriptions
Set-AzContext -Subscription <subscriptionId>
# Register the Microsoft.Network resource provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Create a resource group and key vault
Before you can create a network security perimeter, you have to create a resource group and a key vault resource.
This example creates a resource group named test-rg in the chinaeast2 location and a key vault named demo-keyvault-<RandomValue> in the resource group with the following commands:
# Create a resource group
$rgParams = @{
Name = "test-rg"
Location = "chinaeast2"
}
New-AzResourceGroup @rgParams
# Create a key vault
$keyVaultName = "demo-keyvault-$(Get-Random)"
$keyVaultParams = @{
Name = $keyVaultName
ResourceGroupName = $rgParams.Name
Location = $rgParams.Location
}
$keyVault = New-AzKeyVault @keyVaultParams
Create a network security perimeter
In this step, create a network security perimeter with the following New-AzNetworkSecurityPerimeter command:
Note
Please do not put any personal identifiable or sensitive data in the network security perimeter rules or other network security perimeter configuration.
# Create a network security perimeter
$nsp = @{
Name = 'demo-nsp'
location = 'chinaeast2'
ResourceGroupName = $rgParams.name
}
$demoNSP=New-AzNetworkSecurityPerimeter @nsp
$nspId = $demoNSP.Id
Create and update PaaS resources' association with a new profile
In this step, you create a new profile and associate the PaaS resource, the Azure Key Vault with the profile using the New-AzNetworkSecurityPerimeterProfile and New-AzNetworkSecurityPerimeterAssociation commands.
Create a new profile for your network security perimeter with the following command:
# Create a new profile $nspProfile = @{ Name = 'nsp-profile' ResourceGroupName = $rgParams.name SecurityPerimeterName = $nsp.name } $demoProfileNSP=New-AzNetworkSecurityPerimeterProfile @nspprofileAssociate the Azure Key Vault (PaaS resource) with the network security perimeter profile with the following command:
# Associate the PaaS resource with the above created profile $nspAssociation = @{ AssociationName = 'nsp-association' ResourceGroupName = $rgParams.name SecurityPerimeterName = $nsp.name AccessMode = 'Learning' ProfileId = $demoProfileNSP.Id PrivateLinkResourceId = $keyVault.ResourceID } New-AzNetworkSecurityPerimeterAssociation @nspassociation | format-listUpdate association by changing the access mode to
enforcedwith theUpdate-AzNetworkSecurityPerimeterAssociationcommand as follows:# Update the association to enforce the access mode $updateAssociation = @{ AssociationName = $nspassociation.AssociationName ResourceGroupName = $rgParams.name SecurityPerimeterName = $nsp.name AccessMode = 'Enforced' } Update-AzNetworkSecurityPerimeterAssociation @updateAssociation | format-list
Manage network security perimeter access rules
In this step, you create, update and delete network security perimeter access rules with Public IP prefixes.
# Create an inbound access rule for a Public IP prefix
$inboundRule = @{
Name = 'nsp-inboundRule'
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
Direction = 'Inbound'
AddressPrefix = '192.0.2.0/24'
}
New-AzNetworkSecurityPerimeterAccessRule @inboundrule | format-list
# Update the inbound access rule to add more Public IP prefixes
$updateInboundRule = @{
Name = $inboundrule.Name
ProfileName = $nspprofile.Name
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
AddressPrefix = @('192.0.2.0/24','198.51.100.0/24')
}
Update-AzNetworkSecurityPerimeterAccessRule @updateInboundRule | format-list
Note
If managed identity is not assigned to the resource which supports it, outbound access to other resources within the same perimeter will be denied. Subscription based inbound rules intended to allow access from this resource will not take effect.
Delete all resources
When you no longer need the network security perimeter, remove all resources associated with the network security perimeter, remove the perimeter, and then remove the resource group.
# Retrieve the network security perimeter and place it in a variable
$nsp= Get-AzNetworkSecurityPerimeter -Name demo-nsp -ResourceGroupName $rg.Params.Name
# Delete the network security perimeter and all associated resources
$removeNsp = @{
Name = 'nsp-association'
ResourceGroupName = $rgParams.Name
SecurityPerimeterName = $nsp.Name
}
Remove-AzNetworkSecurityPerimeterAssociation @removeNsp
Remove-AzNetworkSecurityPerimeter -Name $nsp.Name -ResourceGroupName $rgParams.Name
# Remove the resource group
Remove-AzResourceGroup -Name $rgParams.Name -Force
Note
Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see Transition to a network security perimeter in Azure.