![iOS 19 Leak: First Look at Alleged VisionOS Inspired Redesign [Video]](https://www.iclarified.com/images/news/96824/96824/96824-640.jpg)
![OpenAI Announces 4o Image Generation [Video]](https://www.iclarified.com/images/news/96821/96821/96821-640.jpg)
![Do you care about Find My Device privacy settings? [Poll]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/06/Chipolo-One-Point-with-Find-My-Device-app.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 140]: New AGI Warnings, OpenAI Suggests Government Policy, Sam Altman Teases Creative Writing Model, Claude Web Search & Apple’s AI Woes](https://www.marketingaiinstitute.com/hubfs/ep%20140%20cover.png)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
Protect Azure PaaS services, introduction to Azure Network Security Perimeter.
In Azure, securing IaaS resources is relatively straightforward—you can use Network Security Groups (NSGs) on a subnet to control inbound and outbound traffic. But what about Platform-as-a-Service (PaaS) offerings such as databases, storage accounts, and other services? To address this gap, Azure recently introduced a new feature: Network Security Perimeter (NSP). This feature enables you to protect PaaS services like NSGs. NSP provides the ability to centralize network security, restrict access to resources, prevent data exfiltration to the internet, and monitor resource access. This post will delve into this new feature and demonstrate how to implement it effectively. NSP serves as a centralized security layer for PaaS services, particularly those with public endpoints. It allows you to group multiple PaaS resources and apply network restrictions, including inbound and outbound rules. Additionally, you can log access to resources within the group for enhanced security monitoring. NSP is currently available for a limited set of services. Azure Monitor Azure AI Search Azure Cosmos DB Azure Event Hubs Azure Key Vault Azure SQL Azure Storage Support is also restricted to specific Azure regions: East US East US 2 North Central US South Central US West US West US 2 To start using NSP you need to register the provider Register-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network" And then re-register the Microsoft.Network provider Register-AzResourceProvider -ProviderNamespace Microsoft.Network Once registered, you can create NSPs within your subscription. For detailed instructions on creating an NSP using PowerShell, check out my previous blog post. There are several concepts essential to working with Azure Network Security Perimeter. Profile: a logical container grouping access rules and associated resources Rule: an inbound or outbound access policy Associated resource: resource linked to an NSP Access mode: to determine how NSP rules and public network access work A Network Security permitter is a logical container. You can enable logging in the Diagnostic settings. This will collect inbound and outbound logs to the resource within the profile according to the rules defined in the NSP. Resources associated with one Network Security Permitter can communicate with each other without the need for access rules. An NSP is created with a default profile, and you can add more profiles (up to 200 profiles) if you need to. An NSP profile groups inbound and outbound rules with associated resources. Each resource within a profile uses the same rules, eliminating the need to configure them at the resource level. There are two kinds of rules in a Profile, Inbound access rules and Outbound access rules. An inbound rule allows external access to resources in the profile. In the preview version, you can only choose between IP addresses and Subscriptions. For IP addresses, you can add IP Prefixes separated by commas. For subscriptions you can select the subscriptions you want, any resources in these subscriptions will be able to access resources associated with the profile. An outbound rule allows communication from the profile’s resources based on fully qualified domain names (also separated by commas). The associated resources can be added to the profile to apply rules to their communication. There is no communication restriction between resources within the same NSP. You can add any resources to an NSP profile. The resource can be in a different subscription of your tenant or another Azure region than the NSP. After adding resources, you will need to configure the public network access and the access mode. In the public network access, there are 3 options: Enabled: resources are accessible from all networks. Disabled: resource is only accessible from private networks (via private link). SecuredByPerimeter: resources are only accessible from private networks and by authorized IP address in the NSP rules. Access modes can be set to: Learning: Uses NSP Rules alongside Public network access settings Enforced: Restricts network access based on the NSP rules only To illustrate NSP's capabilities, let's deploy a storage account and configure it within an NSP profile: I will use this simple PowerShell script that uploads and downloads a file to a blob container. $storage = Get-AzStorageAccount -ResourceGroupName -Name $ContainerName = "test" Set-AzStorageBlobContent -File ./file.txt -Container $ContainerName -blob "file3.txt" -Context $storage.context Get-AzStorageBlobContent -blob "file.txt" -Destination ./dwé.txt -Context $storage.context -Container $ContainerName Before adding the resource to the NSP both commands set-azStorageBlobContent and Get-azStorageBlobContent work successfully. After NSP Configuration: With public network access set to SecuredByPerimeter, the same operations fail: This reque
In Azure, securing IaaS resources is relatively straightforward—you can use Network Security Groups (NSGs) on a subnet to control inbound and outbound traffic. But what about Platform-as-a-Service (PaaS) offerings such as databases, storage accounts, and other services?
To address this gap, Azure recently introduced a new feature: Network Security Perimeter (NSP). This feature enables you to protect PaaS services like NSGs. NSP provides the ability to centralize network security, restrict access to resources, prevent data exfiltration to the internet, and monitor resource access. This post will delve into this new feature and demonstrate how to implement it effectively.
NSP serves as a centralized security layer for PaaS services, particularly those with public endpoints. It allows you to group multiple PaaS resources and apply network restrictions, including inbound and outbound rules. Additionally, you can log access to resources within the group for enhanced security monitoring.
NSP is currently available for a limited set of services.
- Azure Monitor
- Azure AI Search
- Azure Cosmos DB
- Azure Event Hubs
- Azure Key Vault
- Azure SQL
- Azure Storage
Support is also restricted to specific Azure regions:
- East US
- East US 2
- North Central US
- South Central US
- West US
- West US 2
To start using NSP you need to register the provider
Register-AzProviderFeature -FeatureName "AllowNSPInPublicPreview" -ProviderNamespace "Microsoft.Network"
And then re-register the Microsoft.Network provider
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Once registered, you can create NSPs within your subscription. For detailed instructions on creating an NSP using PowerShell, check out my previous blog post.
There are several concepts essential to working with Azure Network Security Perimeter.
- Profile: a logical container grouping access rules and associated resources
- Rule: an inbound or outbound access policy
- Associated resource: resource linked to an NSP
- Access mode: to determine how NSP rules and public network access work
A Network Security permitter is a logical container. You can enable logging in the Diagnostic settings. This will collect inbound and outbound logs to the resource within the profile according to the rules defined in the NSP.
Resources associated with one Network Security Permitter can communicate with each other without the need for access rules.
An NSP is created with a default profile, and you can add more profiles (up to 200 profiles) if you need to.
An NSP profile groups inbound and outbound rules with associated resources. Each resource within a profile uses the same rules, eliminating the need to configure them at the resource level.
There are two kinds of rules in a Profile, Inbound access rules and Outbound access rules.
An inbound rule allows external access to resources in the profile. In the preview version, you can only choose between IP addresses and Subscriptions.
For IP addresses, you can add IP Prefixes separated by commas. For subscriptions you can select the subscriptions you want, any resources in these subscriptions will be able to access resources associated with the profile.
An outbound rule allows communication from the profile’s resources based on fully qualified domain names (also separated by commas).
The associated resources can be added to the profile to apply rules to their communication. There is no communication restriction between resources within the same NSP.
You can add any resources to an NSP profile. The resource can be in a different subscription of your tenant or another Azure region than the NSP.
After adding resources, you will need to configure the public network access and the access mode.
In the public network access, there are 3 options:
- Enabled: resources are accessible from all networks.
- Disabled: resource is only accessible from private networks (via private link).
- SecuredByPerimeter: resources are only accessible from private networks and by authorized IP address in the NSP rules.
Access modes can be set to:
- Learning: Uses NSP Rules alongside Public network access settings
- Enforced: Restricts network access based on the NSP rules only
To illustrate NSP's capabilities, let's deploy a storage account and configure it within an NSP profile:
I will use this simple PowerShell script that uploads and downloads a file to a blob container.
$storage = Get-AzStorageAccount -ResourceGroupName -Name
$ContainerName = "test"
Set-AzStorageBlobContent -File ./file.txt -Container $ContainerName -blob "file3.txt" -Context $storage.context
Get-AzStorageBlobContent -blob "file.txt" -Destination ./dwé.txt -Context $storage.context -Container $ContainerName
Before adding the resource to the NSP both commands set-azStorageBlobContent and Get-azStorageBlobContent work successfully.
After NSP Configuration: With public network access set to SecuredByPerimeter, the same operations fail:
This request is not authorized to perform this operation. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation.
ErrorCode: AuthorizationFailure
It is the same if I use enforced in access mode.
After adding an Inbound access rule with my public IP address and retrying the previous commands, the two commands work.
But if I take a look at the configuration of the Storage Account, something changed. After the NSP configuration, the public network access has been disabled. You will see in the activity log an operation, Write NetworkSecurityPerimeterAssociationProxies.
Azure Network Security Perimeter is a promising feature, currently in preview, that simplifies and centralizes PaaS security management across your Azure tenant. While limited in scope, for now, it offers a robust framework for enhanced network security.
