Add a search service to a network security perimeter

This article explains how to join an Azure AI Search service to a network security perimeter to control network access to your search service. By joining a network security perimeter, you can:

• Log all access to your search service in context with other Azure resources in the same perimeter.
• Block any data exfiltration from a search service to other services outside the perimeter.
• Allow access to your search service using inbound and outbound access capabilities of the network security perimeter.

You can add a search service to a network security perimeter in the Azure portal, as described in this article. Alternatively, you can use the Azure Virtual Network Manager REST API to join a search service, and use the Search Management REST APIs to view and synchronize the configuration settings.

Limitations and considerations

• For search services within a network security perimeter, indexers must use a system or user-assigned managed identity and have a role assignment that permits read-access to data sources.

• Supported indexer data sources are currently limited to Azure Blob Storage, Azure Cosmos DB for NoSQL, and Azure SQL Database.

• Currently, within the perimeter, indexer connections to Azure PaaS for data retrieval is the primary use case. For outbound skills-driven API calls to Azure AI services, Azure OpenAI, or the Azure AI Foundry model catalog, or for inbound calls from the Azure AI Foundry for "chat with your data" scenarios you must configure inbound and outbound rules to allow the requests through the perimeter. If you require private connections for structure-aware chunking and vectorization, you should create a shared private link and a private network.

Prerequisites

• An existing network security perimeter. You can create one to associate with your search service.

• Azure AI Search, any billable tier, in any region.

Assign a search service to a network security perimeter

Azure Network Security Perimeter allows administrators to define a logical network isolation boundary for PaaS resources (for example, Azure Storage and Azure SQL Database) that are deployed outside virtual networks. It restricts communication to resources within the perimeter, and it allows non-perimeter public traffic through inbound and outbound access rules.

You can add Azure AI Search to a network security perimeter so that all indexing and query requests occur within the security boundary.

1. In the Azure portal, find the network security perimeter service for your subscription.

2. Select Resources from the left-hand menu.

   

3. Select Add > Associate resources with an existing profile.

   

4. Select the profile you created when you created the network security perimeter for Profile.

5. Select Associate, and then select the search service you created.

   

6. Select Associate in the bottom left-hand section of the screen to create the association.

Network security perimeter access modes

Network security perimeter supports two different access modes for associated resources:

Network security perimeter and search service networking settings

The publicNetworkAccess setting determines search service association with a network security perimeter.

• In Learning mode, the publicNetworkAccess setting controls public access to the resource.

• In Enforced mode, the publicNetworkAccess setting is overridden by the network security perimeter rules. For example, if a search service with a publicNetworkAccess setting of enabled is associated with a network security perimeter in Enforced mode, access to the search service is still controlled by network security perimeter access rules.

Change the network security perimeter access mode

1. Navigate to your network security perimeter resource in the Azure portal.

2. Select Resources in the left-hand menu.

   

3. Find your search service in the table.

4. Select the three dots in the far right of the search service row. Select Change access mode in the popup.`

   

5. Select the desired access mode and select Apply.

   

Enable logging network access

1. Navigate to your network security perimeter resource in the Azure portal.

2. Select Diagnostic settings in the left-hand menu.

   

3. Select Add diagnostic setting.

4. Enter any name such as "diagnostic" for Diagnostic setting name.

5. Under Logs, select allLogs. allLogs ensures all inbound and outbound network access to resources in your network security perimeter is logged.

6. Under Destination details, select Archive to a storage account or Send to Log Analytics workspace. The storage account must be in the same region as the network security perimeter. You can either use an existing storage account or create a new one. A Log Analytics workspace can be in a different region than the one used by the network security perimeter. You can also select any of the other applicable destinations.

   

7. Select Save to create the diagnostic setting and start logging network access.

Reading network access logs

Log Analytics workspace

The network-security-perimeterAccessLogs table contains all the logs for every log category (for example network-security-perimeterPublicInboundResourceRulesAllowed). Every log contains a record of the network security perimeter network access that matches the log category.

Here's an example of the network-security-perimeterPublicInboundResourceRulesAllowed log format:

Storage Account

The storage account has containers for every log category (for example insights-logs-network-security-perimeterpublicinboundperimeterrulesallowed). The folder structure inside the container matches the resource ID of the network security perimeter and the time the logs were taken. Each line on the JSON log file contains a record of the network security perimeter network access that matches the log category.

For example, the inbound perimeter rules allowed category log uses the following format:

"properties": {
    "ServiceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/network-security-perimeter/providers/Microsoft.Search/searchServices/network-security-perimeter-search",
    "Profile": "defaultProfile",
    "MatchedRule": {
        "AccessRule": "myaccessrule"
    },
    "Source": {
        "IpAddress": "255.255.255.255",
    }
}

Add an access rule for your search service

A network security perimeter profile specifies rules that allow or deny access through the perimeter.

Within the perimeter, all resources have mutual access at the network level. You must still set up authentication and authorization, but at the network level, connection requests from inside the perimeter are accepted.

For resources outside of the network security perimeter, you must specify inbound and outbound access rules. Inbound rules specify which connections to allow in, and outbound rules specify which requests are allowed out.

A search service accepts inbound requests from apps like Azure AI Foundry portal, Azure Machine Learning prompt flow, and any app that sends indexing or query requests. A search service sends outbound requests during indexer-based indexing and skillset execution. This section explains how to set up inbound and outbound access rules for Azure AI Search scenarios.

Add an inbound access rule

Inbound access rules can allow the internet and resources outside the perimeter to connect with resources inside the perimeter.

Network security perimeter supports two types of inbound access rules:

• IP address ranges. IP addresses or ranges must be in the Classless Inter-Domain Routing (CIDR) format. An example of CIDR notation is 192.0.2.0/24, which represents the IPs that range from 192.0.2.0 to 192.0.2.255. This type of rule allows inbound requests from any IP address within the range.

• Subscriptions. This type of rule allows inbound access authenticated using any managed identity from the subscription.

To add an inbound access rule in the Azure portal:

1. Navigate to your network security perimeter resource in the Azure portal.

2. Select Profiles in the left-hand menu.

   

3. Select the profile you're using with your network security perimeter

   

4. Select Inbound access rules in the left-hand menu.

   

5. Select Add.

   

6. Enter or select the following values:

   Setting	Value
   Rule name	The name for the inbound access rule (for example, "MyInboundAccessRule").
   Source Type	Valid values are IP address ranges or subscriptions.
   Allowed Sources	If you selected IP address ranges, enter the IP address range in CIDR format that you want to allow inbound access from. Azure IP ranges are available at this link. If you selected Subscriptions, use the subscription you want to allow inbound access from.

7. Select Add to create the inbound access rule.

   

Add an outbound access rule

A search service makes outbound calls during indexer-based indexing and skillset execution. If your indexer data sources, Azure AI services, or custom skill logic is outside of the network security perimeter, you should create an outbound access rule that allows your search service to make the connection.

Recall that in public preview, Azure AI Search can only connect to Azure Storage or Azure Cosmos DB within the security perimeter. If your indexers use other data sources, you need an outbound access rule to support that connection.

Network security perimeter supports outbound access rules based on the Fully Qualified Domain Name (FQDN) of the destination. For example, you can allow outbound access from any service associated with your network security perimeter to an FQDN such as mystorageaccount.blob.core.chinacloudapi.cn.

To add an outbound access rule in the Azure portal:

1. Navigate to your network security perimeter resource in the Azure portal.

2. Select Profiles in the left-hand menu.

   

3. Select the profile you're using with your network security perimeter

   

4. Select Outbound access rules in the left-hand menu.

   

5. Select Add.

   

6. Enter or select the following values:

   Setting	Value
   Rule name	The name for the outbound access rule (for example, "MyOutboundAccessRule")
   Destination Type	Leave as FQDN
   Allowed Destinations	Enter a comma-separated list of FQDNs you want to allow outbound access to

7. Select Add to create the outbound access rule.

   

Test your connection through network security perimeter

In order to test your connection through network security perimeter, you need access to a web browser, either on a local computer with an internet connection or an Azure VM.

1. Change your network security perimeter association to enforced mode to start enforcing network security perimeter requirements for network access to your search service.

2. Decide if you want to use a local computer or an Azure VM.

   1. If you're using a local computer, you need to know your public IP address.
   2. If you're using an Azure VM, you can either use private link or check the IP address using the Azure portal.

3. Using the IP address, you can create an inbound access rule for that IP address to allow access. You can skip this step if you're using private link.

4. Finally, try navigating to the search service in the Azure portal. If you can view the indexes successfully, then the network security perimeter is configured correctly.

View and manage network security perimeter configuration

You can use the Network Security Perimeter Configuration REST APIs to review and reconcile perimeter configurations.

Be sure to use preview API version 2024-06-01-preview or a later preview. Learn how to call the Management REST APIs.

See also

• Use Azure role-based access control in Azure AI Search