Network security perimeter is NOW LIVE in public preview for our Azure customers, to improve the security of PaaS resources like Azure SQL Database servers and Azure Storage accounts. With network security perimeter, we are bringing in the ability to define a logical network boundary for PaaS resources deployed outside customer virtual networks to secure their public connectivity.
Figure 1: Network Security Perimeter
What’s different with network security perimeter?
In the present-day world, users have concerns like
- Restricting public access to their resources,
- Preventing unauthorized data export from their resources,
- Monitoring all resources' access using a single pane of glass.
Network security perimeter solves these user concerns with ease by using simple steps to group resources that need to connect to each other, create access rules and prevent data exfiltration.
1) Centralized management for access controls:
Managing public network access control for PaaS resources typically involves setting up firewall rules at each resource instance. This process can be cumbersome, especially when dealing with multiple resources that share similar access requirements.
With the introduction of network security perimeter, users can streamline this process significantly.
- Resource to resource communication is implicitly allowed within the perimeter.
- Instead of creating separate access rules for each PaaS resource, users can group multiple resources under a single profile within the network security perimeter and establish access rules for all of them at once.
Figure 2: Image depicting simplified access rules by using network security perimeter
2) Prevent data exfiltration by placing resources inside a network security perimeter
While most PaaS resources currently offer only inbound access control, network security perimeters provide an additional layer of security by disabling outbound access outside the perimeter by default. This feature helps prevent data exfiltration, offering a more robust security solution for managing PaaS resources.
Figure 3: Image depicting data exfiltration prevention by using network security perimeter
3) One perimeter to monitor all PaaS resources
Monitoring multiple PaaS resources can be a nightmare, as it requires configuring and then retrieving and analyzing logs through disparate interfaces. In contrast, configuring diagnostic settings in the network security perimeter enables easy network access monitoring of all the associated PaaS resources through a uniform experience.
How to secure PaaS resources with network security perimeter?
Network security perimeter offers two modes using which PaaS resources can be streamlined. They are, learning mode and enforced mode.
Learning mode Vs Enforced Mode
Learning mode:
When evaluating access in this mode, if a matching rule is not found in the network security perimeter, the evaluation falls back to the resource firewall configuration. Combining this mode with logging helps users understand current access patterns without disrupting existing connectivity. We recommend using this mode prior to moving to a secure enforced mode.
Enforced mode:
When evaluating access in this mode, the resource allows public traffic based on network security perimeter access rules only. It also allows private endpoint traffic.
Figure 4: Image explaining the difference between Learning Mode and Enforced Mode
Securing a new resource:
Network security perimeter introduces a new option for PaaS resources under the “publicNetworkAccess” property called "SecuredByPerimeter". This supports a secure-by-default behavior. When this property is set, it locks down public access, preventing PaaS resources from being exposed to public networks.
- During resource creation, if “publicNetworkAccess” is set to “SecuredByPerimeter”, the resource is created in lockdown mode, even if it is not yet associated with a perimeter. In this mode, only private link traffic is allowed if configured.
- Once the resource is associated with a perimeter, the network security perimeter governs its public access behavior.
Network security perimeter supported resources
Network security perimeter supports seven (7) resource types in public preview. Azure SQL Database Server, Azure Storage account, Azure Cosmos DB, Azure Key Vault, Azure AI Search, Azure Event Hubs, and Azure Monitor.
We encourage you to try out network security perimeter in public preview. We look forward to your feedback in the comments here!
Learn more about network security perimeter at What is Network Security Perimeter? | Microsoft Learn
Microsoft
