Forum Discussion
What would be the expected behavior for an NSP?
I'm using a network security perimeter in Azure.
In the perimeter there are two resources assigned: A storage Account and An Azure SQL Databse.
I'm using the BULK INSERT dbo.YourTable FROM 'sample_data.csv' getting data from the storage account.
The NSP is enforced for both resources, so the public connectivity is denied for resources outside the perimeter
I have experienced this behavior: the azure SQL CANNOT access the storage account when I run the command. I resolved using:
- I need to add an outbound rule in the NSP to reach the storage fqdn
- I need to add an inbound rule in the NSP to allow the public IP of the SQL Azure
When I do 1 and 2, azure SQL is able to pump data from the storage.
IMHO this is not the expected behavior for two resources in the NSP. I expect that, as they are in the same NSP, they can communicate to each other.
I have experienced a different behavior when using keyvault in the same NSP. I'm using the keyvault to get the keys for encryption for the same storage. For the key vault, i didn't have to create any rule to make it able to communicate to the storage, as they are in the same NSP.
I know, Azure SQL is in preview for the NSP and the keyvault in GA, but I want to ask if the experienced behavior (the SQL CANNOT connect to the storage even if in the same NSP) is due to a unstable or unimplemented feature, or I'm missing something? What is the expected behavior?
Thank you community!!