Azure Network Security Perimeter (PREVIEW) in action and use cases

Original link on Medium : Link

Microsoft Ignite has just launched an interesting new feature called Network security perimeter or NSP.

Ok cool…what it is important or what´s new?

Well, as an Azure architect I see several advantages but first things first : what is NSP?

NSP is a logical network boundary for PAAS resources: you can see it like a Network Security Group for PAAS resources. The official definition is “NSP allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Storage account and SQL Database server) that are deployed outside your organization’s virtual networks. It restricts public network access to PaaS resources within the perimeter; access can be exempted by using explicit access rules for public inbound and outbound”.

I don´t want to explain in detail all the component: the link to the official documentation already do it very well. Today, the only services that are addressed are:

• Azure Monitor

• Azure AI Search

• Cosmos DB

• Event Hubs

• Key vault

• SQL database

• Azure storage account

However, I want to share my vision about the practical uses cases as Azure architect when it comes to engaging a discussion to your customers.

Currently is limited in public preview, only address a few PAAS services and it allows you:

• to add a deny data exfiltrations of your data with a central vision

• adds an extra layer between your PAAS resources and the external boundaries of your organization

• enable diagnostic logs for auditing and compliancy

1. Prevent data exfiltration more easily

Microsoft says that NSP prevents data exfiltration: it limits an attacker to receive sensitive data that are on a storage account or a Cosmos DB to go outside the boundaries of the company.

Ok great but wait a minute: data exfiltration can already be disabled so what is it new?

Right, but keep in mind that NSP can facilitate security management for large scale organizations. Imagine that you have more than one hundred or storage accounts that you want to prevent public data access. You have to edit all those storage accounts one by one by writing a script. I see it as a central Control Plane where you can control on one single place your services: governance will be easier.

With NSP, you create a profile and add this profile to the storage account. It All your security controls are now on one single unified point and the modification that you bring will be enabled immediately to all resources attached to it. Governance and administration will be easier.

In addition, you can add monitoring and auditing so now you can easily send all logs to a logs analytics workspace for you auditing purposes.

2. Use a “What-if” for testing mode before restricting the access

Another cool feature is that you have two modes: learning mode and Enforced modes.

Just like an Azure policy assignment, you can configure NSP, create the inbound / outbound rules and assign profiles to your resources, and before limiting all at once, just choose the learning mode to see the logs, test and do whatever you want before choosing to set the real mode: Enforced mode.

Like this you can have a smooth transition and prepare the deployment at large scale without any big bang.

Another thing is that if you already have private endpoints configured : it’s ok and it will continue to working as well. In other words private endpoint and NSP can live together side by side.

3. Create a boundary at a subscription level

You can create inbound access rules to allow all traffic coming from selected subscription to comes in your PAAS resources.

For example, you can allow access to all virtual machines on a subscription to Azure Cosmos DB without configuring IP rules on a firewall or selecting the networks (but you have to use managed identity). It makes administration easier because you don´t have to edit the Cosmos DB more often.

4. In conclusion

NSP can be a real game changer in the months to come. I strongly encourage the teams to engage in discussions for redesigning security or network architecture because it will be easier to secure resources or reduce the time for configuring all the outbound connectivity at a large scale.

New use cases can be addressed: for example, Azure Search AI can be blocked for preventing data exfiltration. I know that it can be a blocker when comes the time to decide for using those services, so new doors will be opened!

Today I didn’t see a release date when it will become GA so… stay tuned!