Introduction
Microsoft has announced the public preview of Network Security Perimeters, a new Azure service that creates isolation boundaries for Platform-as-a-Service (PaaS) resources deployed outside your virtual network. With Network Security Perimeters, you can:
- Restrict public network access to PaaS resources inside the perimeter
- Allow exceptions via explicit inbound and outbound access rules
- Enforce granular service-to-service isolation across geographically distributed deployments via use of profiles for granular access
This capability lets organizations define precise security perimeters around their Azure PaaS workloads controlling what external services can connect but also provide flexibility with policies for additional associated resources as well.
Background Context
This new capability is a major leap forward in network isolation. Typically, you’d deploy multiple virtual networks to segment different parts of your organization by geography. But many PaaS resources like storage accounts might need to be accessed that contains PII you’ll need an even tighter boundary on what is accessed. Ideally when we create an overlay or boundary we want restrictions on what can be accessed and the “what” it can access. In this following table this breaks down the components of this new service and a high-level description.
| Component | Description |
| Network Security Perimeter | Top level resource defining logical network boundary to secure PaaS resources. |
| Profile | Collection of access rules that apply on resources associated with the profile |
| Access Rule | Inbound and outbound rules for resources in a perimeter to allow access outside the perimeter. |
| Resource association | Perimeter membership for a PaaS resource |
| Diagnostics settings | Extension resource hosted by Microsoft Insights to collect logs & metrics for all resources in the perimeter. |
It’s important to note at this point in time this is still in Public Preview and supports the following resources.
- Azure Monitor – Log Analytics Workspace, Application Insights, Alerts, Notifications
- Azure AI Search
- Cosmos DB
- Event Hubs
- Key Vault
- SQL Database
- Storage Accounts
Access Modes
Network Security Perimeter as of today leverage two modes of access these are described below.
Learning Mode is the default access mode, helps admins to understand existing access patterns of their PaaS resources. This is advisable before transitioning to enforced mode.
Enforced Mode must be set by the Administrator by default, all traffic except intra perimeter traffic is denied in this mode unless an Allow access rule exists.
In general you should test any changes to your environment given this guidance ideally you’ll have architecture diagrams on inbound/outbound flows of your resources or intended destinations.
Getting Started
To use the Network Security Perimeter as a CLI command you’ll need the latest preview CLI installed if you want to follow via the portal and UI experience feel free to use the documentation.
Otherwise we will use the CLI
- Azure CLI Installed
- Azure Subscription
- Microsoft.Network Provider installed I’ll cover this
First we start with access we will need to authenticate to our cloud subscription.
az login --use-device-codeAfter we’ve done that we will use the following to install the Network provider.
az provider register --namespace Microsoft.NetworkNow that this is complete assuming you have Microsoft.Network already registered this should be relatively straightforward we create our resource group in the next step and create a PaaS resource Azure Key Vault.
#!/bin/bash
#Create a resource group
az group create \
--name network-security-west \
--location westus
# Create a key vault add date time so its unique
kv_vault_name="key-vault-$(date +%s)"
# Create the KV - the query 'id' will be used later
az keyvault create \
--name $kv_vault_name \
--resource-group network-security-west \
--location westus \
--query 'id' \
--output tsvAfter this operation completes we can now create our perimeter by running the following.
az network perimeter create \
--name network-perimeter-west \
--resource-group network-security-west \
-l westusNote: If you see a notification on “preview version” of extension do you want to install it now? This will be needed to interact with az network perimeter command so you’ll hit Yes.
Now that our perimeter is created in our resource group network-security-west we now create a profile which will how we associate our PaaS service after we have a profile.
# Create the profile
az network perimeter profile create \
--name network-perimeter-west \
--resource-group network-security-west \
--perimeter-name network-perimeter-west
Now recall our PaaS resource in this case the key vault has a specific ID we need to gather to associate it with our profile.
First we gather our network security perimeter profile id with the following commands.
az network perimeter profile show \
--name network-perimeter-west \
--resource-group network-security-west \
--perimeter-name network-perimeter-westThis will look like the following “/subscriptions/<sub-id>/resourceGroups/<rg-group>/providers/Microsoft.Network/networkSecurityPerimeters/<network-perimeter>/profiles/<profile-name>”
Save this somewhere close by as we will use this in a little now we gather the Azure Key Vault ID.
az keyvault show \
--name $kv_vault_name \
--resource-group network-security-west \
--query 'id'This will output the following similar to our last id format.
“/subscriptions/<sub-id>/resourceGroups/<rg-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>”
Now we associate it with the following commands.
az network perimeter association create \
--name network-perimeter-association \
--perimeter-name network-perimeter-west \
--resource-group network-security-west \
--access-mode Learning \
--private-link-resource "{id:<PaaSID>}" \
--profile "{id:<networkSecurityPerimeterProfileId>}"Odd behavior on the CLI my request stated this feature is not yet available for given subscription in any case we show how this looks in the portal.
This will associate after you select the resource you want to be in the perimeter notice this will tell you the current access. We can deny this once associated and create our own access rules that will first validate from the perimeter to then our resource.
We can now see when our resource is associated we can configure the access to three settings enabled, disabled or secured by perimeter. Similarly we can find our Inbound Access Rules of what can enter the perimeter along with Outbound rules to where can authorized traffic travel to.
Once this resource updates the configuration our resource will reflect the changes as shown in this image.
Closing this out ensure you delete the resources and associated components you can delete the entire resource group as we’ve kept everything created inside this container.
Summary
Network Security Perimeters help you enforce data-protection boundaries around your PaaS workloads in Azure. The evaluation of access by Internal IPs can also mitigate public accessible resources indirectly by going through the perimeter minimizing the attack surface. Private connectivity without site-to-site connectivity remains a challenge in the cloud for many organizations that are cost prohibitive in nature this could be a new method that enhances boundaries on defined access. If you’re thinking about how to restrict access to a specific set of resources for communication this should be a strong consideration in your security estate.