You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-perimeter.md
+14-22Lines changed: 14 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,36 +1,32 @@
1
1
---
2
-
title: Network Security Perimeter for Azure Storage (Preview)
2
+
title: Network Security Perimeter for Azure Storage
3
3
description: Network security perimeter enables you to define a logical network isolation boundary for PaaS resources that are deployed outside your virtual networks.
4
4
services: storage
5
5
author: normesta
6
6
ms.service: azure-storage
7
7
ms.subservice: storage-common-concepts
8
8
ms.topic: how-to
9
-
ms.date: 06/18/2025
9
+
ms.date: 07/27/2025
10
10
ms.author: normesta
11
11
12
12
---
13
13
14
-
# Network security perimeter for Azure Storage (preview)
14
+
# Network security perimeter for Azure Storage
15
15
16
-
[Network security perimeter](../../private-link/network-security-perimeter-concepts.md)(preview) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. This helps prevent unwanted data exfiltration from your storage resources. Within a Network Security Perimeter, member resources can freely communicate with each other. network security perimeter rules override the storage account’s own firewall settings. Access from within the perimeter takes highest precedence over other network restrictions.
16
+
[Network security perimeter](../../private-link/network-security-perimeter-concepts.md) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. This helps prevent unwanted data exfiltration from your storage resources. Within a Network Security Perimeter, member resources can freely communicate with each other. network security perimeter rules override the storage account’s own firewall settings. Access from within the perimeter takes highest precedence over other network restrictions.
17
17
18
18
The list of services that have been onboarded to network security perimeter can be found [here](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources). For services that are not on this list, as they have not yet been onboarded to network security perimeter, if you would like to allow access to a specific resource you can use a subscription-based rule on the network security perimeter. All resources within that subscription will then be given access to that network security perimeter. For more information on adding subscription-based access rule, refer [here](/rest/api/networkmanager/nsp-access-rules/create-or-update).
19
19
20
20
## Access Modes
21
21
22
-
When onboarding storage accounts to a network security perimeter, you can start in Transition mode (formerly Learning mode) or go straight to [Enforced mode](../../private-link/network-security-perimeter-transition.md#access-mode-configuration-point-on-resource-associations). Transition mode (the default) allows the storage account to fall back to its existing firewall rules or [“trusted services”](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#exceptions-for-trusted-azure-services) settings if a perimeter rule doesn’t yet permit a connection. Enforced mode strictly blocks all public inbound and outbound traffic unless explicitly allowed by a network security perimeter rule, ensuring maximum protection for your storage account. In enforced mode, even Azure’s “trusted service” exceptions are not honored. Relevant Azure resources or specific subscriptions must be explicitly allowed via perimeter rules if needed.
22
+
When onboarding storage accounts to a network security perimeter, you can start in Transition mode (formerly Learning mode) or go straight to [Enforced mode](../../private-link/network-security-perimeter-transition.md#access-mode-configuration-point-on-resource-associations). Transition mode (the default) allows the storage account to fall back to its existing firewall rules or [“trusted services”](https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal#exceptions-for-trusted-azure-services) settings if a perimeter rule doesn’t yet permit a connection. Enforced mode strictly blocks all public inbound and outbound traffic unless explicitly allowed by a network security perimeter rule, ensuring maximum protection for your storage account. In enforced mode, even Azure’s “trusted service” exceptions are not honored. Relevant Azure resources or specific subscriptions must be explicitly allowed via perimeter rules if needed.
23
23
24
24
> [!IMPORTANT]
25
25
> Operating Storage accounts in **Transition (formerly Learning)** mode should serve only as a transitional step. Malicious actors may exploit unsecured resources to exfiltrate data. Therefore, it's crucial to transition to a fully secure configuration as soon as possible with the access mode set to **Enforced**.
26
26
>
27
27
28
-
////
29
-
Currently, network security perimeter is in public preview for Azure Blob Storage, Azure Files (REST), Azure Tables, and Azure Queues. See [Transition to a network security perimeter](../../private-link/network-security-perimeter-transition.md).
30
-
////
31
-
32
28
## Network priotiy
33
-
When a storage account is part of a network security perimeter, the relevant [profile's](../../private-link/network-security-perimeter-concepts#components-of-a-network-security-perimeter) access rules override the account’s own firewall settings, becoming the top-level network gatekeeper. Access allowed or denied by the perimeter takes precedence, and the account’s “Allowed networks” settings are bypassed when the storage account is associated in enforced mode. Removing the storage account from a network security perimeter reverts control back to its regular firewall. Network security perimeters do not affect private endpoint traffic. Connections via private link always succeed. For internal Azure services (“trusted Services”), only those explicitly [onboarded to Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources) can be allowed through perimeter access rules. Otherwise, their traffic is blocked by default, even if trusted on the storage account firewall rules. For services not yet onboarded, alternatives include subscription-level rules for inbound and FQDNs for outbount access or via private links.
29
+
When a storage account is part of a network security perimeter, the relevant [profile's](../../private-link/network-security-perimeter-concepts.md#components-of-a-network-security-perimeter) access rules override the account’s own firewall settings, becoming the top-level network gatekeeper. Access allowed or denied by the perimeter takes precedence, and the account’s “Allowed networks” settings are bypassed when the storage account is associated in enforced mode. Removing the storage account from a network security perimeter reverts control back to its regular firewall. Network security perimeters do not affect private endpoint traffic. Connections via private link always succeed. For internal Azure services (“trusted Services”), only those explicitly [onboarded to Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources) can be allowed through perimeter access rules. Otherwise, their traffic is blocked by default, even if trusted on the storage account firewall rules. For services not yet onboarded, alternatives include subscription-level rules for inbound and FQDNs for outbount access or via private links.
34
30
35
31
> [!IMPORTANT]
36
32
> Private endpoint traffic is considered highly secure and therefore isn't subject to network security perimeter rules. All other traffic, including trusted services, will be subject to network security perimeter rules if the storage account is associated with a perimeter.
@@ -40,26 +36,22 @@ When a storage account is associated with a network security perimeter, all stan
40
36
41
37
## Limitations
42
38
43
-
This preview doesn't support the following services, operations, and protocols on a storage account:
44
-
45
-
-[Object replication](../blobs/object-replication-overview.md) for Azure Blob Storage
46
-
-[Lifecycle management](../blobs/lifecycle-management-overview.md) for Azure Blob Storage
47
-
-[SSH File transfer protocol (SFTP)](../blobs/secure-file-transfer-protocol-support.md) over Azure Blob Storage
48
-
- Network file system (NFS) protocol with [Azure Blob Storage](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md).
49
-
- Server message block (SMB) protocol with Azure Files can only be achieved through IP allowlisting at this time.
-[Unmanaged disks](/azure/virtual-machines/unmanaged-disks-deprecation) do not honor network security perimeter rules.
39
+
Below is a list of platform features that are not supported when a storage account is associated with a network security perimeter.
52
40
53
-
- Vaulted backups for Azure Blob Storage
41
+
| Feature | Support status| Recommendations |
42
+
|----------|----------|----------|
43
+
|[Object replication](../blobs/object-replication-overview.md) for Azure Blob Storage | Not Supported. Object Replication between storage accounts will fail if either the source or destination account is associated with a network security perimeter | Do not use network security perimeter on storage accounts that need Object Replication. Similarly, do not enable Object Replication on accounts associated with network security perimeter until support is available. When you try enabling either Object replication or association with network security perimeter when the other is already active, your attempt will be blocked to protect you from this unsupported scenario. |
44
+
| Network file system (NFS) access over [Azure Blobs](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md), Server message block (SMB) access over Azure Files and [SSH File transfer protocol (SFTP)](../blobs/secure-file-transfer-protocol-support.md) over Azure Blobs | All protocols other than HTTPS based access are blocked when storage account is associated with a network security perimeter | If you need to use any of these protocols to access your storage account, do not associate the account with a network security perimeter |
45
+
| Azure Backup | Not supported. Azure Backup as a service is not onboarded to network security perimeter yet. | We recommend not associating an account with network security perimeter if you have backups enabled or if you plan to use Azure Backup. Once Azure Backup onboards to network security perimeter, you can start using both these features together |
46
+
| Unmanaged disks |[Unmanaged disks](/azure/virtual-machines/unmanaged-disks-deprecation) do not honor network security perimeter rules. | Avoid using unmanaged disks on storage accounts protected by network security perimeter |
54
47
55
-
We recommend you don't enable network security perimeter if you need to use any of these services, operations, or protocols. This is to prevent any potential data loss or data exfiltration risk.
56
48
57
49
> [!WARNING]
58
50
> For storage accounts that are associated with a network security perimeter, in order for customer managed keys (CMK) scenarios to work, ensure that the Azure Key Vault is accessible from within the perimeter to which the storage account has been associated.
59
51
60
52
## Associate a network security perimeter with a storage account
61
53
62
-
To associate a network security perimeter with a storage account, follow these [common instructions](../../private-link/network-security-perimeter-concepts.md) for all PaaS resources.
54
+
To associate a network security perimeter with a storage account, follow these [common instructions](../../private-link/network-security-perimeter-transition.md#moving-new-resources-into-network-security-perimeter) for all PaaS resources.
0 commit comments