You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/private-link/network-security-perimeter-transition.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
-
title: Transition to a network security perimeter in Azure
2
+
title: Transition to a Network Security Perimeter in Azure
3
3
titleSuffix: Azure Private Link
4
-
description: Learn about the different access modes and how to transition to a network security perimeter in Azure.
4
+
description: Learn how to transition to a network security perimeter in Azure, explore access modes, and secure your resources.
5
5
author: mbender-ms
6
6
ms.author: mbender
7
7
ms.service: azure-private-link
@@ -12,7 +12,7 @@ ms.date: 05/16/2025
12
12
13
13
# Transition to a network security perimeter in Azure
14
14
15
-
In this article, you learn about the different access modes and how to transition to a [network security perimeter](./network-security-perimeter-concepts.md) in Azure. Access modes control the resource's access and logging behavior.
15
+
In this article, you learn about the different access modes and how to transition to a [network security perimeter](./network-security-perimeter-concepts.md) in Azure. Access modes control resource access and logging behavior, helping you secure your Azure resources.
16
16
17
17
## Access mode configuration point on resource associations
18
18
@@ -24,30 +24,30 @@ The possible values of `accessMode` are currently **Enforced** and **T
24
24
25
25
|**Access Mode**|**Description**|
26
26
|-------------|-------------|
27
-
|**Transition**| This is the default access mode. Evaluation in this mode will use the network security perimeter configuration as a baseline, but in the case of not finding a matching rule, evaluation will fall back to the resource firewall configuration which can then approve access with existing settings. |
27
+
|**Transition**| This is the default access mode. Evaluation in this mode uses the network security perimeter configuration as a baseline. When it doesn't find a matching rule, evaluation falls back to the resource firewall configuration which can then approve access with existing settings. |
28
28
|**Enforced**| When explicitly set, the resource obeys **only** network security perimeter access rules. |
29
29
30
30
## Prevent connectivity disruptions while adopting network security perimeter
31
31
32
32
### Enable Transition mode
33
33
34
-
To prevent undesired connectivity disruptions while adopting network security perimeter to existing PaaS resources and ensure a smooth transition to secure configurations, administrators can add PaaS resources to network security perimeter in Transition mode (formerly Learning mode). While this step does not secure the PaaS resources, it will:
34
+
To prevent undesired connectivity disruptions while adopting network security perimeter to existing PaaS resources and ensure a smooth transition to secure configurations, administrators can add PaaS resources to network security perimeter in Transition mode (formerly Learning mode). While this step doesn't secure the PaaS resources, it will:
35
35
36
36
- Allow connections to be established in accordance with the network security perimeter configuration. Additionally, resources in this configuration fallback to honoring resource-defined firewall rules and trusted access behavior when connections aren't permitted by the network security perimeter access rules.
37
-
- When diagnostic logs are enabled, generates logs detailing whether connections were approved based on network security perimeter configuration or the resource's configuration. Administrators can then analyse those logs to identify gaps in access rules, missing perimeter memberships, and undesired connections.
37
+
- When diagnostic logs are enabled, generates logs detailing whether connections were approved based on network security perimeter configuration or the resource's configuration. Administrators can then analyze those logs to identify gaps in access rules, missing perimeter memberships, and undesired connections.
38
38
39
39
40
40
> [!IMPORTANT]
41
-
> Operating PaaS resources in **Transition (formerly Learning)** mode should serve only as a transitional step. Malicious actors may exploit unsecured resources to exfiltrate data. Therefore, it is crucial to transition to a fully secure configuration as soon as possible with the access mode set to **Enforced**.
41
+
> Operating PaaS resources in **Transition (formerly Learning)** mode should serve only as a transitional step. Malicious actors may exploit unsecured resources to exfiltrate data. Therefore, it's crucial to transition to a fully secure configuration as soon as possible with the access mode set to **Enforced**.
42
42
43
43
### Transition to enforced mode for existing resources
44
44
45
-
To fully secure your public access, it is essential to move to enforced mode in network security perimeter. Things to consider before moving to enforced mode are the impact on public, private, trusted, and perimeter access. When in enforced mode, the behavior of network access on associated PaaS resources across different types of PaaS resources can be summarised as follows:
45
+
To fully secure your public access, it's essential to move to enforced mode in network security perimeter. Things to consider before moving to enforced mode are the impact on public, private, trusted, and perimeter access. When in enforced mode, the behavior of network access on associated PaaS resources across different types of PaaS resources can be summarised as follows:
46
46
47
47
-**Public access:** Public access refers to inbound or outbound requests made through public networks. PaaS resources secured by a network security perimeter have their inbound and outbound public access disabled by default, but network security perimeter access rules can be used to selectively allow public traffic that matches them.
48
48
-**Perimeter access:** Perimeter access refers to inbound or outbound requests between the resources part of the same network security perimeter. To prevent data infiltration and exfiltration, such perimeter traffic will never cross perimeter boundaries unless explicitly approved as public traffic at both source and destination in enforced mode. Manged identity needs to be assigned on resources for perimeter access.
49
-
-**Trusted access:** Trusted service access refers to a feature few Azure services that enables access through public networks when its origin is specific Azure services that are considered trusted. Since network security perimeter provides more granular control than trusted access, Trusted access is not supported in enforced mode.
50
-
-**Private access:** Access via Private Links is not impacted by network security perimeter.
49
+
-**Trusted access:** Trusted service access refers to a feature few Azure services that enables access through public networks when its origin is specific Azure services that are considered trusted. Since network security perimeter provides more granular control than trusted access, Trusted access isn't supported in enforced mode.
50
+
-**Private access:** Access via Private Links isn't impacted by network security perimeter.
51
51
52
52
## Moving new resources into network security perimeter
0 commit comments