Merge pull request #290290 from mbender-ms/wb-final-nsp

network security perimeter - final updates

Author: ShannonLeavitt

articles/private-link/network-security-perimeter-concepts.md

@@ -12,16 +12,16 @@ ms.custom: references_regions
 
 # What is Network Security Perimeter?
 
-Azure Network Security Perimeter allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Storage and SQL Database) that are deployed outside your organization’s virtual networks. It restricts public network access to PaaS resources outside of the perimeter, access can be exempted by using explicit access rules for public inbound and outbound.
+Azure Network Security Perimeter allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Storage and SQL Database) that are deployed outside your organization’s virtual networks. It restricts public network access to PaaS resources outside of the perimeter; access can be exempted by using explicit access rules for public inbound and outbound.
 
 For access patterns involving traffic from virtual networks to PaaS resources, see [What is Azure Private Link?](private-link-overview.md).
 
 Features of Network Security Perimeter include:
 
-- Service to service communication within perimeter members, preventing data exfiltration to non-authorized destinations.
-- Public network access control for PaaS resources.
-- Access logs for audit and compliance.
+- Resource to resource access communication within perimeter members, preventing data exfiltration to non-authorized destinations.
 - Manage external public access with explicit rules for PaaS resources associated with the perimeter.
+- Access logs for audit and compliance.
+- Unified experience across PaaS resources.
 
 
 
@@ -80,11 +80,11 @@ Network security perimeter provides a secure perimeter for communication of PaaS
 
 ## How does Network Security Perimeter work?
 
-When a network security perimeter is created and the PaaS resources are associated with the  perimeter, all public traffic is denied by default. Thus preventing data exfiltration outside the perimeter.
+When a network security perimeter is created and the PaaS resources are associated with the perimeter in enforced mode, all public traffic is denied by default thus preventing data exfiltration outside the perimeter.  
 
-Access rules can be used to approve public inbound and outbound traffic outside the perimeter. Public inbound access can be approved using network and identity attributes of the client such as source IP addresses and subscriptions. Public outbound access can be approved using FQDNs (Fully Qualified Domain Names) of the external destinations.
+Access rules can be used to approve public inbound and outbound traffic outside the perimeter. Public inbound access can be approved using Network and Identity attributes of the client such as source IP addresses, subscriptions. Public outbound access can be approved using FQDNs (Fully Qualified Domain Names) of the external destinations. 
 
-For example, when creating a network security perimeter and associating a set of PaaS resources, like Azure Key Vault and SQL DB, with the perimeter, all incoming and outgoing public traffic is denied to these PaaS resources by default. To allow any access outside the perimeter, necessary access rules can be created. Within the same perimeter, profiles can also be created to group PaaS resources with similar set of inbound and outbound access requirements.
+For example, upon creating a network security perimeter and associating a set of PaaS resources like Azure Key Vault and SQL DB in enforced mode, with the perimeter, all incoming and outgoing public traffic is denied to these PaaS resources by default. To allow any access outside the perimeter, necessary access rules can be created. Within the same perimeter, profiles may also be created to group PaaS resources with similar set of inbound and outbound access requirements.
 
 ## Onboarded private link resources
 A network security perimeter-aware private link resource is a PaaS resource that can be associated with a network security perimeter. Currently the list of onboarded private link resources are as follows:
@@ -98,16 +98,16 @@ A network security perimeter-aware private link resource is a PaaS resource that
 | Key Vault                 | Microsoft.KeyVault/vaults | - |
 | SQL DB                    | Microsoft.Sql/servers | - |
 | [Storage](/azure/storage/common/storage-network-security)               | Microsoft.Storage/storageAccounts | - |
-| Event Grid | Microsoft.EventGrid/topics</br>Microsoft.EventGrid/domains |	- |
 
+> [!NOTE]
+> 
 ## Limitations of network security perimeter
 
 ### Regional limitations
 
-Network security perimeter is currently available in all Azure public cloud regions. However, while enabling access logs for network security perimeter, consider the region availability of Azure monitor.
+Network security perimeter is currently available in all Azure public cloud regions. However, while enabling access logs for network security perimeter, the Log Analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions. Currently, those regions are **East US**, **East US 2**, **North Central US**, **South Central US**, **West US**, and **West US 2**.
 
 > [!NOTE]
-> Though the network security perimeter can be created in any region, the Log analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions.
 > For PaaS resource logs, use **Storage and Event Hub** as the log destination for any region associated to the same perimeter.
 
 [!INCLUDE [network-security-perimeter-limits](../../includes/network-security-perimeter-limits.md)]

articles/private-link/network-security-perimeter-diagnostic-logs.md

@@ -6,6 +6,7 @@ ms.author: mbender
 ms.service: azure-private-link
 ms.topic: conceptual
 ms.date: 11/04/2024
+ms.custom: references_regions
 #CustomerIntent: As a network administrator, I want to enable diagnostic logging for Network Security Perimeter, so that I can monitor and analyze the network traffic to and from my resources.
 ---
 
@@ -25,8 +26,8 @@ Access logs categories for a network security perimeter are based on the results
 | **NspPublicInboundPerimeterRulesDenied** | Public inbound access denied by network security perimeter. | Enforced |
 | **NspPublicOutboundPerimeterRulesAllowed** | Outbound access is allowed based on network security perimeter access rules. | Learning/Enforced |
 | **NspPublicOutboundPerimeterRulesDenied** | Public outbound access denied by network security perimeter. | Enforced |
-| **nspOutboundAttempt** | Outbound attempt within network security perimeter. | Learning/Enforced |
-| **nspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Learning/Enforced |
+| **NspOutboundAttempt** | Outbound attempt within network security perimeter. | Learning/Enforced |
+| **NspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Learning/Enforced |
 | **NspPublicInboundResourceRulesAllowed** | When network security perimeter rules deny, inbound access is allowed based on PaaS resource rules. | Learning |
 | **NspPublicInboundResourceRulesDenied** | When network security perimeter rules deny, inbound access denied by PaaS resource rules. | Learning |
 | **NspPublicOutboundResourceRulesAllowed** | When network security perimeter rules deny, outbound access allowed based on PaaS resource rules. | Learning |
@@ -43,6 +44,9 @@ You can enable diagnostic logging for a network security perimeter by using the
 
 :::image type="content" source="media/network-security-perimeter-diagnostic-logs/network-security-perimeter-diagnostic-settings.png" alt-text="Screenshot of diagnostic settings options for a network security perimeter.":::
 
+> [!NOTE]
+> When using Azure Monitor with a network security perimeter, the Log Analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions. For more information on available regions, see [Regional limits for Network Security Perimeter](./network-security-perimeter-concepts.md#regional-limitations).
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/storage/common/media/storage-network-security/associate-network-security-perimeter.png

@@ -88,7 +88,12 @@ After you apply network rules, they're enforced for all requests. SAS tokens tha
 
 ### Network Security Perimeter (preview)
 
-[Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md) (preview) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. By design, access to a storage account from within a Network Security Perimeter takes the highest precedence over other network access restrictions. Currently, Network Security Perimeter is in public preview for Azure Blobs, Azure Files (SMB only), Azure Tables, and Azure Queues.
+[Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md) (preview) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. By design, access to a storage account from within a Network Security Perimeter takes the highest precedence over other network access restrictions.
+
+Currently, Network Security Perimeter is in public preview for Azure Blobs, Azure Files (REST), Azure Tables, and Azure Queues. See [Transition to a Network Security Perimeter](../../private-link/network-security-perimeter-transition.md).
+
+> [!IMPORTANT]
+> Private endpoint traffic is considered highly secure and therefore isn't subject to Network Security Perimeter rules. All other traffic, including trusted services, will be subject to Network Security Perimeter rules if the storage account is associated with a perimeter.
 
 #### Limitations
 
@@ -97,27 +102,18 @@ This preview doesn't support the following services, operations, and protocols o
 - [Object replication](../blobs/object-replication-overview.md) for Azure Blob Storage
 - [Lifecycle management](../blobs/lifecycle-management-overview.md) for Azure Blob Storage
 - [SSH File transfer protocol (SFTP)](../blobs/secure-file-transfer-protocol-support.md) over Azure Blob Storage
-- Network file system (NFS) protocol over [Azure Blob Storage](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md).
-- [Azure Storage Blob Inventory](../blobs/blob-inventory.md)
+- Network file system (NFS) protocol with [Azure Blob Storage](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md).
+- Server message block (SMB) protocol with Azure Files can only be achieved thru IP allowlisting at this time.
+- [Azure Blob Inventory](../blobs/blob-inventory.md)
 
 We recommend you don't enable Network Security Perimeter if you need to use any of these services, operations, or protocols. This is to prevent any potential data loss or data exfiltration risk.
 
 > [!WARNING]
-> If you set **Public network access** to **Disabled** after previously setting it to **Enabled from selected virtual networks and IP addresses**, any [resource instances](#grant-access-from-azure-resource-instances) and [exceptions](#manage-exceptions) that you previously configured, including [Allow Azure services on the trusted services list to access this storage account](#grant-access-to-trusted-azure-services), will remain in effect. As a result, those resources and services might still have access to the storage account.
+> For storage accounts that are associated with a Network Security Perimeter, in order for customer managed keys (CMK) scenarios to work, ensure that the Azure Key Vault is accessible from within the perimeter to which the storage account has been associated.
 
 #### Associate a Network Security Perimeter with a storage account
 
-To associate a Network Security Perimeter with a storage account, follow these instructions.
-
-1. Sign in to the Azure portal and navigate to the storage account.
-1. In the service menu, under **Security + networking**, select **Networking**.
-1. Under **Network Security Perimeter**, select **Associate**.
-
-   :::image type="content" source="media/storage-network-security/associate-network-security-perimeter.png" alt-text="Screenshot showing how to associate a Network Security Perimeter with a storage account in the Azure portal." lightbox="media/storage-network-security/associate-network-security-perimeter.png":::
-
-1. Search for and select a Network Security Perimeter, select a profile, and then select **Associate**.
-
-The Network Security Perimeter is now associated with your storage account.
+To associate a Network Security Perimeter with a storage account, follow these [common instructions](../../private-link/network-security-perimeter-concepts.md) for all PaaS resources.
 
 ## Restrictions and considerations
 

articles/storage/common/storage-network-security.md

@@ -5,11 +5,10 @@
  author: mbender
  ms.service: azure-private-link
  ms.topic: include
- ms.date: 11/05/2024
- ms.author: mbender> -ms
+ ms.date: 11/11/2024
+ ms.author: mbender-ms
 ms.custom: include file
 ---
 
 > [!NOTE]
-> Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. For more information, see [Transition to a network security perimeter in Azure](../articles/private-link/network-security-perimeter-transition.md#transition-to-a-network-security-perimeter-in-azure) for implications of `publicNetworkAccess` set to `SecuredByPerimeter` when the resource is not associated with a network security perimeter.
-> Also, there are implications when removing a network security perimeter association from the resource. If the resource has `PublicNetworkAccess` set to `SecuredByPerimeter` and the association has been deleted, the resource will enter a locked down state.
+> Removing your resource association from the network security perimeter results in access control falling back to the existing resource firewall configuration. This may result in access being allowed/denied as per the resource firewall configuration. If PublicNetworkAccess is set to SecuredByPerimeter and the association has been deleted, the resource will enter a locked down state. For more information, see [Transition to a network security perimeter in Azure](../articles/private-link/network-security-perimeter-transition.md#transition-to-a-network-security-perimeter-in-azure).

includes/network-security-perimeter-delete-resources.md

@@ -19,14 +19,16 @@ Network security perimeter functionality can be used to support deployments of P
 | **Number of network security perimeters**  | Supported up to 100 as recommended limit per subscription. |
 | **Profiles per network security perimeters** | Supported up to 200 as recommended limit. |
 | **Number of rule elements per profile** | Supported up to 200 as hard limit. |
-| **Number of PaaS resources associated with the same network security perimeter** | Supported up to 1000 as recommended limit. |
+| **Number of PaaS resources across subscriptions associated with the same network security perimeter** | Supported up to 1000 as recommended limit. |
 
 ### Other limitations
 
 Network security perimeter has other limitations as follows:
 
 | **Limitation/Issue** | **Description** |
 |-----------------|-------------|
+| **Resource group move operation cannot be performed if multiple network security perimeters are present** | If there are multiple network security perimeters present in the same resource group, then the network security perimeter cannot be moved across resource groups/subscriptions. |
+| **Associations must be removed before deleting network security perimeter** | Forced delete option is currently unavailable. Thus all associations must be removed before deleting a network security perimeter. Only remove associations after taking precautions for allowing access previously controlled by network security perimeter. |
 | **Resource names cannot be longer than 44 characters to support network security perimeter** | The network security perimeter resource association created from the Azure portal has the format `{resourceName}-{perimeter-guid}`. To align with the requirement name field can't have more than 80 characters, resources names would have to be limited to 44 characters. |
 | **Service endpoint traffic is not supported.** | It's recommended to use private endpoints for IaaS to PaaS communication. Currently, service endpoint traffic can be denied even when an inbound rule allows 0.0.0.0/0. |