Today we are excited to announce the general availability of Network Security Perimeter (NSP) support for Azure Service Bus. Network Security Perimeter allows you to define a logical network boundary around your Service Bus namespaces and other Azure PaaS resources, restricting public network access and enabling secure communication between services within the perimeter. This builds on the existing network security options for Service Bus - IP firewall rules, VNet service endpoints, and private endpoints - by providing centralized, perimeter-level control over which resources can communicate with each other.

How Network Security Perimeter fits with existing network security

Service Bus already provides several options for controlling network access to your namespaces. IP firewall rules let you restrict access to specific IPv4 addresses. VNet service endpoints and private endpoints bring your Service Bus traffic onto the Microsoft backbone network, avoiding the public internet entirely. These features give you fine-grained control at the individual namespace level.

Network Security Perimeter takes a different approach. Instead of configuring network rules on each resource individually, you create a perimeter and associate your PaaS resources with it. By default, resources inside the perimeter can communicate with each other, while all public access from outside the perimeter is denied. You then define explicit inbound and outbound access rules for any traffic that needs to cross the perimeter boundary. This means a Service Bus namespace, the Azure Key Vault it uses for customer-managed keys, and any other associated resources can all be managed under one consistent set of network rules.

This is complementary to private endpoints. Private endpoints secure traffic between your virtual network and Service Bus; Network Security Perimeter secures the public endpoint of Service Bus itself. Used together, they provide defense-in-depth for your messaging infrastructure.

Concepts

Network Security Perimeter works with profiles and access rules. A profile is a collection of access rules that applies to the resources associated with it. You can use different profiles within the same perimeter to apply different rule sets to different groups of resources.

There are two access modes:

- Transition mode - the default mode when you first associate a resource. In this mode, Network Security Perimeter logs access attempts without enforcing restrictions, allowing you to understand your existing traffic patterns before locking things down.

- Enforced mode - once you are confident in your access rules, switch to enforced mode. All traffic from outside the perimeter is denied by default unless an explicit access rule permits it.

Access rules

Access rules control traffic crossing the perimeter boundary:

- Inbound rules allow traffic from specific IP address ranges or Azure subscriptions to reach your Service Bus namespace.

- Outbound rules allow your Service Bus namespace to communicate with external resources identified by fully qualified domain names (FQDNs).

Within the perimeter, PaaS-to-PaaS communication is allowed by default without additional rules.

Supported scenarios

Network Security Perimeter for Service Bus supports the following scenarios:

- Customer-managed keys (CMK) - Service Bus namespaces that use customer-managed keys need to communicate with Azure Key Vault. By placing both the Service Bus namespace and the Key Vault within the same perimeter, this communication is secured without requiring additional network configuration.

- Diagnostic logging - Network Security Perimeter provides access logs that record every allowed or denied connection attempt. These logs support audit and compliance requirements by giving you visibility into exactly what is accessing your Service Bus namespace and from where.

Getting started

You can associate your Service Bus namespace with a Network Security Perimeter directly from the namespace in the Azure portal:

1. On your Service Bus namespace page, select Networking under Settings.
2. Select the Public access tab.
3. In the Network security perimeter section, select Associate.
4. In the Select network security perimeter dialog, search for and select the perimeter you want to associate with the namespace.
5. Select a profile to associate with the namespace.
6. Select Associate to complete the association.

We recommend starting in transition mode to understand your existing traffic patterns, then moving to enforced mode once you have configured the appropriate access rules.

More information on this feature can be found in the documentation.