Merge pull request #287583 from madsd/nsp

NSP first draft

Author: prmerger-automator[bot]

articles/app-service/networking-features.md

@@ -118,8 +118,14 @@ Some use cases for this feature:
 * Expose your app on a private IP in your virtual network. 
 * Protect your app with a WAF.
 
-Private endpoints prevent data exfiltration because the only thing you can reach across the private endpoint is the app with which it's configured. 
- 
+Private endpoints prevent data exfiltration because the only thing you can reach across the private endpoint is the app with which it's configured.
+
+### Network Security Perimeter
+
+Azure [Network Security Perimeter](../private-link/network-security-perimeter-concepts.md) (NSP) is a service that provides a secure perimeter for communication of Platform as a Service (PaaS) services. These PaaS services can communicate with each other within the perimeter, and can also communicate with resources outside the perimeter using public inbound and outbound access rules.
+
+NSP rule enforcement is primarily using identity-based security which cannot be fully enforced in platform services like App Services and Functions that allow you to deploy your own code and use the identity to represent the platform. If you need to communicate with PaaS services that are part of an NSP you will need to add virtual network integration to you App Service or Functions instances and communicate with the PaaS resources using private endpoints.
+
 ### Hybrid Connections
 
 App Service Hybrid Connections enables your apps to make *outbound* calls to specified TCP endpoints. The endpoint can be on-premises, in a virtual network, or anywhere that allows outbound traffic to Azure on port 443. To use the feature, you need to install a relay agent called Hybrid Connection Manager on a Windows Server 2012 or newer host. Hybrid Connection Manager needs to be able to reach Azure Relay at port 443. You can download Hybrid Connection Manager from the App Service Hybrid Connections UI in the portal.