Quickstart - Create a network security perimeter - ARM Template

Get started with network security perimeter by creating a network security perimeter for an Azure key vault using Azure Resource Manager (ARM) template. A network security perimeter allows Azure Platform as a Service (PaaS) resources to communicate within an explicit trusted boundary. You create and update a PaaS resource's association in a network security perimeter profile. Then you create and update network security perimeter access rules. When you're finished, you delete all resources created in this quickstart.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

You can also create a network security perimeter by using the Azure portal, Azure PowerShell, or the Azure CLI.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button here. The ARM template will open in the Azure portal.

Prerequisites

• An Azure account with an active subscription. If you don't already have an Azure account, create a trial subscription.

Review the template

This template creates a private endpoint for an instance of Azure SQL Database.

The template that this quickstart uses is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.33.93.31351",
      "templateHash": "13000240630105370736"
    }
  },
  "parameters": {
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]"
    },
    "keyVaultName": {
      "type": "string",
      "defaultValue": "[format('kv-{0}', uniqueString(resourceGroup().id))]"
    },
    "nspName": {
      "type": "string",
      "defaultValue": "networkSecurityPerimeter"
    },
    "profileName": {
      "type": "string",
      "defaultValue": "profile1"
    },
    "inboundIpv4AccessRuleName": {
      "type": "string",
      "defaultValue": "inboundRule"
    },
    "outboundFqdnAccessRuleName": {
      "type": "string",
      "defaultValue": "outboundRule"
    },
    "associationName": {
      "type": "string",
      "defaultValue": "networkSecurityPerimeterAssociation"
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2022-07-01",
      "name": "[parameters('keyVaultName')]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [],
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 90,
        "enableRbacAuthorization": false
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityPerimeters",
      "apiVersion": "2023-07-01-preview",
      "name": "[parameters('nspName')]",
      "location": "[parameters('location')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/networkSecurityPerimeters/profiles",
      "apiVersion": "2023-07-01-preview",
      "name": "[format('{0}/{1}', parameters('nspName'), parameters('profileName'))]",
      "location": "[parameters('location')]",
      "properties": {},
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityPerimeters', parameters('nspName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules",
      "apiVersion": "2023-07-01-preview",
      "name": "[format('{0}/{1}/{2}', parameters('nspName'), parameters('profileName'), parameters('inboundIpv4AccessRuleName'))]",
      "location": "[parameters('location')]",
      "properties": {
        "direction": "Inbound",
        "addressPrefixes": [
          "100.10.0.0/16"
        ],
        "fullyQualifiedDomainNames": [],
        "subscriptions": [],
        "emailAddresses": [],
        "phoneNumbers": []
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('nspName'), parameters('profileName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/networkSecurityPerimeters/profiles/accessRules",
      "apiVersion": "2023-07-01-preview",
      "name": "[format('{0}/{1}/{2}', parameters('nspName'), parameters('profileName'), parameters('outboundFqdnAccessRuleName'))]",
      "location": "[parameters('location')]",
      "properties": {
        "direction": "Outbound",
        "addressPrefixes": [],
        "fullyQualifiedDomainNames": [
          "contoso.com"
        ],
        "subscriptions": [],
        "emailAddresses": [],
        "phoneNumbers": []
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('nspName'), parameters('profileName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations",
      "apiVersion": "2023-07-01-preview",
      "name": "[format('{0}/{1}', parameters('nspName'), parameters('associationName'))]",
      "location": "[parameters('location')]",
      "properties": {
        "privateLinkResource": {
          "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
        },
        "profile": {
          "id": "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('nspName'), parameters('profileName'))]"
        },
        "accessMode": "Enforced"
      },
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
        "[resourceId('Microsoft.Network/networkSecurityPerimeters', parameters('nspName'))]",
        "[resourceId('Microsoft.Network/networkSecurityPerimeters/profiles', parameters('nspName'), parameters('profileName'))]"
      ]
    }
  ]
}

The template defines multiple Azure resources:

• Microsoft.KeyVault/vaults: The instance of Key Vault with the sample database.
• Microsoft.Network/networkSecurityPerimeters: The network security perimeter that you use to access the instance of Key Vault.
• Microsoft.Network/networkSecurityPerimeters/profiles: The network security perimeter profile that you use to access the instance of Key Vault.
• Microsoft.Network/networkSecurityPerimeters/profiles/accessRules: The access rules that you use to access the instance of Key Vault.
• Microsoft.Network/networkSecurityPerimeters/resourceAssociations: The resource associations that you use to access the instance of Key Vault.

Deploy the template

Deploy the ARM template to Azure by doing the following:

1. Sign in to Azure and open the ARM template by selecting the Deploy to Azure button here. The template creates the network security perimeter and an Azure Key Vault instance.

2. Select your resource group or create a new one.

3. Enter the SQL administrator sign-in name and password.

4. Enter the virtual machine administrator username and password.

5. Read the terms and conditions statement. If you agree, select I agree to the terms and conditions stated above, and then select Purchase. The deployment can take 20 minutes or longer to complete.

Validate the deployment

Clean up resources

When you no longer need the resources that you created with the private endpoint, delete the resource group. Doing so removes the private endpoint and all the related resources.

To delete the resource group, run the Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name <your resource group name>

Next steps

For more information about the services that support private endpoints, see: