Azure Monitor Network Security Perimeter Expands To 56 Azure Regions

Azure Monitor Network Security Perimeter (preview) is now expanding from 6 to 56 Azure regions. This enhancement allows Azure PaaS resources to communicate within a clearly defined and trusted boundary, helping enterprise customers secure their PaaS resources from public networks. It complements Private Link connectivity from customer virtual networks, with external access controlled based on network policies defined for all Private Link Resources within a perimeter by specifying inbound and outbound rules.

You Should Know:

1. Enable Azure Monitor Network Security Perimeter:

Use the following Azure CLI command to enable the Network Security Perimeter feature:

az network perimeter create --name <PerimeterName> --resource-group <ResourceGroupName> --location <Region>

2. Configure Inbound and Outbound Rules:

Define network policies using Azure PowerShell:

New-AzNetworkSecurityPerimeterRule -Name <RuleName> -ResourceGroupName <ResourceGroupName> -PerimeterName <PerimeterName> -Direction Inbound -Access Allow

3. Integrate with Private Link:

Ensure your Azure PaaS resources are connected via Private Link. Use the following command to create a Private Endpoint:

az network private-endpoint create --name <PrivateEndpointName> --resource-group <ResourceGroupName> --vnet-name <VNetName> --subnet <SubnetName> --private-connection-resource-id <PaaSResourceId>

4. Monitor Network Security Perimeter:

Use Azure Monitor to track the security perimeter’s activity:

az monitor activity-log list --resource-group <ResourceGroupName> --resource-id <PerimeterResourceId>

5. Verify Connectivity:

Test connectivity to your PaaS resources within the perimeter using:

az network watcher test-connectivity --source-resource <SourceResourceId> --dest-resource <DestResourceId>

What Undercode Say:

The expansion of Azure Monitor Network Security Perimeter to 56 regions is a significant step in enhancing cloud security. By leveraging this feature, organizations can ensure their PaaS resources are securely isolated from public networks, reducing the attack surface. The integration with Private Link further strengthens this security posture, allowing controlled access based on defined network policies.

For more details, refer to the official blog: Azure Monitor Network Security Perimeter Blog and the original announcement at Ignite: Azure Ignite Announcement.

Additional Commands for Enhanced Security:

Linux Firewall Configuration:

sudo ufw allow from <IPAddress> to any port <PortNumber>

Windows Firewall Rule:

New-NetFirewallRule -DisplayName "Allow Azure Perimeter" -Direction Inbound -LocalPort <PortNumber> -Protocol TCP -Action Allow

Network Security Group (NSG) Rule:

az network nsg rule create --nsg-name <NSGName> --resource-group <ResourceGroupName> --name <RuleName> --priority <PriorityNumber> --access Allow --protocol <Protocol> --direction Inbound --source-address-prefix <SourceIP> --source-port-range <SourcePort> --destination-address-prefix <DestinationIP> --destination-port-range <DestinationPort>

By implementing these steps and commands, organizations can effectively secure their Azure environments, ensuring robust protection against potential threats.