Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides the process for configuring a Network Security Perimeter for Azure Monitor resources. Network security perimeter is a network isolation feature that provides a secured perimeter for communication between PaaS services deployed outside of a virtual network. These PaaS services can communicate with each other within the perimeter and can also communicate with resources outside the perimeter using public inbound and outbound access rules.
Network Security Perimeter allows you to control network access using network isolation settings under supported Azure Monitor resources. Once a Network Security Perimeter is configured, you can perform the following actions:
- Control network access to your supported Azure Monitor resources based on inbound and outbound access rules defined in network security perimeter.
- Log all network access to your supported Azure Monitor resources.
- Block any data exfiltration to services not in the network security perimeter.
Tip
For guidance on transitioning you Azure Monitor resources to a network security perimeter, see Transition to a network security perimeter in Azure.
Regions
Azure Network Security Perimeter is available in all Public cloud regions where Azure Monitor is supported.
Current limitations
- For Log Analytics export scenarios with storage accounts/event hubs, both the Log Analytics workspace and the storage account/event hub must be part of the same perimeter.
- Only Azure resources that support network security perimeter can use a diagnostic setting with a destination in a network security perimeter. The resource being monitored also must be in the same network security perimeter as the destination.
- Global action groups resources don't support network security perimeter. You must create regional action groups resources that will support network security perimeter.
- Cross-resource queries are blocked for Log Analytics Workspaces associated with network security perimeter. This includes accessing the workspace through an ADX cluster.
- Network security perimeter access logs are sampled every 30 minutes.
- Log Analytics workspace replication isn't supported.
- Ingesting events from Azure Event Hubs isn't supported.
- Collecting data into or querying data from Azure Monitor workspaces isn't supported.
Note
The same limitations and configuration requirements apply to Microsoft Sentinel workloads if the Log Analytics workspace is associated with a Network Security Perimeter.
Supported components
The components of Azure Monitor that are supported with a network security perimeter are listed in the following table with their minimum API version. See Onboarded private link resources for a list of the other Azure services that are supported with network security perimeter.
| Resource | Resource type | API version |
|---|---|---|
| Data collection endpoint (DCE) | Microsoft.Insights/dataCollectionEndpoints | 2023-03-11 |
| Log Analytics workspace | Microsoft.OperationalInsights/workspaces | 2023-09-01 |
| Log query alerts | Microsoft.Insights/ScheduledQueryRules | 2022-08-01-preview |
| Action groups 1 2 | Microsoft.Insights/actionGroups | 2023-05-01 |
| Diagnostic settings | Microsoft.Insights/diagnosticSettings | 2021-05-01-preview |
1 network security perimeter only operates with regional action groups. Global action groups default to public network access.
2 Today, Event Hub is the only supported action type for network security perimeter. All other actions default to public network access.
Unsupported components
The following components of Azure Monitor are not supported with a network security perimeter:
- Application Insights Profiler for .NET and Snapshot Debugger
- Log Analytics customer managed key
- Cross-resource queries that include any Log Analytics workspaces associated with a network security perimeter
- Azure Monitor Workspace (for Managed Prometheus metrics)
Note
For Application insights, configure network security perimeter for the Log Analytics workspace used for the Application insights resource.
Create a network security perimeter
Create a network security perimeter using Azure portal, Azure CLI, or PowerShell.
Add Log Analytics workspace to a network security perimeter
From the Network Security Perimeter menu in the Azure portal, select your network security perimeter.
Select Resources and then Add -> Associate resources with an existing profile.
Select the profile you want to associate with the Log Analytics workspace resource.
Select Associate, and then select the Log Analytics workspace.
Select Associate in the bottom left-hand section of the screen to create the association with network security perimeter.
Important
When transferring a Log Analytics workspace between resource groups or subscriptions, link it to the Network Security Perimeter (network security perimeter) to retain security policies. If the workspace is deleted, ensure you also remove its associations from the network security perimeter."
Access rules for Log Analytics Workspace
a network security perimeter profile specifies rules that allow or deny access through the perimeter. Within the perimeter, all resources have mutual access at the network level although still subject to authentication and authorization. For resources outside of the network security perimeter, you must specify inbound and outbound access rules. Inbound rules specify which connections to allow in, and outbound rules specify which requests are allowed out.
Note
Any service associated with a Network Security Perimeter implicitly allows inbound and outbound access to any other service associated with the same Network Security Perimeter when that access is authenticated using managed identities and role assignments. Access rules only need to be created when allowing access outside of the Network Security Perimeter, or for access authenticated using API keys.
Add network security perimeter inbound access rule
network security perimeter inbound access rules can allow the internet and resources outside the perimeter to connect with resources inside the perimeter.
network security perimeter supports two types of inbound access rules:
- IP Address Ranges. IP addresses or ranges must be in the Classless Inter-Domain Routing (CIDR) format. An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255. This type of rule allows inbound from any IP address in the range is allowed.
- Subscriptions. This type of rule allows inbound access authenticated using any managed identity from the subscription.
Use the following process to add a network security perimeter inbound access rule using the Azure portal:
Navigate to your Network Security Perimeter resource in the Azure portal.
Select Profiles and then the profile you're using with your network security perimeter.
Select Inbound access rules.
Click Add or Add inbound access rule. Enter or select the following values:
Setting Value Rule Name The name for the inbound access rule. For example MyInboundAccessRule. Source Type Valid values are IP address ranges or subscriptions. Allowed Sources If you selected IP address ranges, enter the IP address range in CIDR format that you want to allow inbound access from. Azure IP ranges are available at Azure IP Ranges and Service Tags – Public Cloud. If you selected Subscriptions, use the subscription you want to allow inbound access from. Click Add to create the inbound access rule.
Add a network security perimeter Outbound Access Rule
Data export in a Log Analytics workspace lets you continuously export data for particular tables in your workspace. You can export to an Azure Storage Account or Azure Event Hubs as the data arrives to an Azure Monitor pipeline.
A Log analytics workspace within a security perimeter can only export to to storage and event hubs in the same perimeter. Other destinations require an outbound access rule based on the Fully Qualified Domain Name (FQDN) of the destination.
Use the following process to add a network security perimeter outbound access rule using the Azure portal:
Navigate to your Network Security Perimeter resource in the Azure portal.
Select Profiles and then the profile you're using with your network security perimeter.
Select Outbound access rules.
Click Add or Add outbound access rule. Enter or select the following values:
Setting Value Rule Name The name for the outbound access rule. For example MyOutboundAccessRule. Destination Type Leave as FQDN. Allowed Destinations Enter a comma-separated list of FQDNs you want to allow outbound access to. Select Add to create the outbound access rule.
Collect access logs
Resource logs for provide insights into the operation of network security perimeter and help to diagnose any issues. See Resource logs for Network Security Perimeter for details on creating a diagnostic setting to collect resource logs for network security perimeter.
Next steps
- Read more about Network Security Perimeter in Azure.
- Follow guidance to transition your resources at Transition to a network security perimeter in Azure.