0
# Network Security
1
2
Azure network security services provide comprehensive protection for network resources through Network Security Groups (NSGs), security rules, Application Security Groups (ASGs), and advanced Network Security Perimeter features.
3
4
## Capabilities
5
6
### Network Security Groups
7
8
Network Security Groups (NSGs) contain security rules that allow or deny network traffic to resources connected to Azure Virtual Networks.
9
10
```python { .api }
11
class NetworkSecurityGroupsOperations:
12
def begin_create_or_update(self, resource_group_name: str, network_security_group_name: str, parameters: NetworkSecurityGroup, **kwargs) -> LROPoller[NetworkSecurityGroup]:
13
"""
14
Creates or updates a network security group in the specified resource group.
15
16
Args:
17
resource_group_name (str): The name of the resource group
18
network_security_group_name (str): The name of the network security group
19
parameters (NetworkSecurityGroup): Parameters supplied to create or update network security group
20
21
Returns:
22
LROPoller[NetworkSecurityGroup]: A poller object for the long-running operation
23
"""
24
25
def get(self, resource_group_name: str, network_security_group_name: str, *, expand: Optional[str] = None, **kwargs) -> NetworkSecurityGroup:
26
"""
27
Gets the specified network security group.
28
29
Args:
30
resource_group_name (str): The name of the resource group
31
network_security_group_name (str): The name of the network security group
32
expand (str, optional): Expands referenced resources
33
34
Returns:
35
NetworkSecurityGroup: The network security group resource
36
"""
37
38
def begin_delete(self, resource_group_name: str, network_security_group_name: str, **kwargs) -> LROPoller[None]:
39
"""
40
Deletes the specified network security group.
41
42
Args:
43
resource_group_name (str): The name of the resource group
44
network_security_group_name (str): The name of the network security group
45
46
Returns:
47
LROPoller[None]: A poller object for the long-running operation
48
"""
49
50
def list(self, resource_group_name: str, **kwargs) -> Iterable[NetworkSecurityGroup]:
51
"""
52
Gets all network security groups in a resource group.
53
54
Args:
55
resource_group_name (str): The name of the resource group
56
57
Returns:
58
Iterable[NetworkSecurityGroup]: Iterator of network security groups
59
"""
60
61
def list_all(self, **kwargs) -> Iterable[NetworkSecurityGroup]:
62
"""
63
Gets all network security groups in a subscription.
64
65
Returns:
66
Iterable[NetworkSecurityGroup]: Iterator of network security groups
67
"""
68
```
69
70
### Security Rules
71
72
Security rules define the network traffic filtering rules within Network Security Groups.
73
74
```python { .api }
75
class SecurityRulesOperations:
76
def begin_create_or_update(self, resource_group_name: str, network_security_group_name: str, security_rule_name: str, security_rule_parameters: SecurityRule, **kwargs) -> LROPoller[SecurityRule]:
77
"""
78
Creates or updates a security rule in the specified network security group.
79
80
Args:
81
resource_group_name (str): The name of the resource group
82
network_security_group_name (str): The name of the network security group
83
security_rule_name (str): The name of the security rule
84
security_rule_parameters (SecurityRule): Parameters supplied to create or update security rule
85
86
Returns:
87
LROPoller[SecurityRule]: A poller object for the long-running operation
88
"""
89
90
def get(self, resource_group_name: str, network_security_group_name: str, security_rule_name: str, **kwargs) -> SecurityRule:
91
"""
92
Get the specified network security rule.
93
94
Args:
95
resource_group_name (str): The name of the resource group
96
network_security_group_name (str): The name of the network security group
97
security_rule_name (str): The name of the security rule
98
99
Returns:
100
SecurityRule: The security rule resource
101
"""
102
103
def begin_delete(self, resource_group_name: str, network_security_group_name: str, security_rule_name: str, **kwargs) -> LROPoller[None]:
104
"""
105
Deletes the specified network security rule.
106
107
Args:
108
resource_group_name (str): The name of the resource group
109
network_security_group_name (str): The name of the network security group
110
security_rule_name (str): The name of the security rule
111
112
Returns:
113
LROPoller[None]: A poller object for the long-running operation
114
"""
115
116
def list(self, resource_group_name: str, network_security_group_name: str, **kwargs) -> Iterable[SecurityRule]:
117
"""
118
Gets all security rules in a network security group.
119
120
Args:
121
resource_group_name (str): The name of the resource group
122
network_security_group_name (str): The name of the network security group
123
124
Returns:
125
Iterable[SecurityRule]: Iterator of security rules
126
"""
127
```
128
129
### Application Security Groups
130
131
Application Security Groups (ASGs) enable you to group virtual machines and define network security policies based on those groups.
132
133
```python { .api }
134
class ApplicationSecurityGroupsOperations:
135
def begin_create_or_update(self, resource_group_name: str, application_security_group_name: str, parameters: ApplicationSecurityGroup, **kwargs) -> LROPoller[ApplicationSecurityGroup]:
136
"""
137
Creates or updates an application security group.
138
139
Args:
140
resource_group_name (str): The name of the resource group
141
application_security_group_name (str): The name of the application security group
142
parameters (ApplicationSecurityGroup): Parameters supplied to create or update application security group
143
144
Returns:
145
LROPoller[ApplicationSecurityGroup]: A poller object for the long-running operation
146
"""
147
148
def get(self, resource_group_name: str, application_security_group_name: str, **kwargs) -> ApplicationSecurityGroup:
149
"""
150
Gets the specified application security group.
151
152
Args:
153
resource_group_name (str): The name of the resource group
154
application_security_group_name (str): The name of the application security group
155
156
Returns:
157
ApplicationSecurityGroup: The application security group resource
158
"""
159
160
def begin_delete(self, resource_group_name: str, application_security_group_name: str, **kwargs) -> LROPoller[None]:
161
"""
162
Deletes the specified application security group.
163
164
Args:
165
resource_group_name (str): The name of the resource group
166
application_security_group_name (str): The name of the application security group
167
168
Returns:
169
LROPoller[None]: A poller object for the long-running operation
170
"""
171
172
def list(self, resource_group_name: str, **kwargs) -> Iterable[ApplicationSecurityGroup]:
173
"""
174
Gets all the application security groups in a resource group.
175
176
Args:
177
resource_group_name (str): The name of the resource group
178
179
Returns:
180
Iterable[ApplicationSecurityGroup]: Iterator of application security groups
181
"""
182
183
def list_all(self, **kwargs) -> Iterable[ApplicationSecurityGroup]:
184
"""
185
Gets all application security groups in a subscription.
186
187
Returns:
188
Iterable[ApplicationSecurityGroup]: Iterator of application security groups
189
"""
190
```
191
192
### Network Security Perimeters
193
194
Network Security Perimeters provide advanced network security capabilities for securing access to Azure PaaS resources.
195
196
```python { .api }
197
class NetworkSecurityPerimetersOperations:
198
def get(self, resource_group_name: str, network_security_perimeter_name: str, **kwargs) -> NetworkSecurityPerimeter:
199
"""
200
Gets the specified network security perimeter by the resource group.
201
202
Args:
203
resource_group_name (str): The name of the resource group
204
network_security_perimeter_name (str): The name of the network security perimeter
205
206
Returns:
207
NetworkSecurityPerimeter: The network security perimeter resource
208
"""
209
210
def begin_create_or_update(self, resource_group_name: str, network_security_perimeter_name: str, parameters: NetworkSecurityPerimeter, **kwargs) -> LROPoller[NetworkSecurityPerimeter]:
211
"""
212
Creates or updates a Network Security Perimeter.
213
214
Args:
215
resource_group_name (str): The name of the resource group
216
network_security_perimeter_name (str): The name of the network security perimeter
217
parameters (NetworkSecurityPerimeter): Parameters supplied to create or update network security perimeter
218
219
Returns:
220
LROPoller[NetworkSecurityPerimeter]: A poller object for the long-running operation
221
"""
222
223
def begin_delete(self, resource_group_name: str, network_security_perimeter_name: str, **kwargs) -> LROPoller[None]:
224
"""
225
Deletes a network security perimeter.
226
227
Args:
228
resource_group_name (str): The name of the resource group
229
network_security_perimeter_name (str): The name of the network security perimeter
230
231
Returns:
232
LROPoller[None]: A poller object for the long-running operation
233
"""
234
235
def list_by_subscription(self, **kwargs) -> Iterable[NetworkSecurityPerimeter]:
236
"""
237
List all network security perimeters in a subscription.
238
239
Returns:
240
Iterable[NetworkSecurityPerimeter]: Iterator of network security perimeters
241
"""
242
243
def list_by_resource_group(self, resource_group_name: str, **kwargs) -> Iterable[NetworkSecurityPerimeter]:
244
"""
245
List all network security perimeters in a resource group.
246
247
Args:
248
resource_group_name (str): The name of the resource group
249
250
Returns:
251
Iterable[NetworkSecurityPerimeter]: Iterator of network security perimeters
252
"""
253
```
254
255
## Usage Examples
256
257
### Creating a Network Security Group with Rules
258
259
```python
260
from azure.mgmt.network.models import (
261
NetworkSecurityGroup, SecurityRule, SecurityRuleAccess,
262
SecurityRuleDirection, SecurityRuleProtocol
263
)
264
265
# Define security rules
266
security_rules = [
267
SecurityRule(
268
name="AllowSSH",
269
protocol=SecurityRuleProtocol.TCP,
270
source_port_range="*",
271
destination_port_range="22",
272
source_address_prefix="*",
273
destination_address_prefix="*",
274
access=SecurityRuleAccess.ALLOW,
275
direction=SecurityRuleDirection.INBOUND,
276
priority=1000
277
),
278
SecurityRule(
279
name="AllowHTTP",
280
protocol=SecurityRuleProtocol.TCP,
281
source_port_range="*",
282
destination_port_range="80",
283
source_address_prefix="*",
284
destination_address_prefix="*",
285
access=SecurityRuleAccess.ALLOW,
286
direction=SecurityRuleDirection.INBOUND,
287
priority=1010
288
),
289
SecurityRule(
290
name="AllowHTTPS",
291
protocol=SecurityRuleProtocol.TCP,
292
source_port_range="*",
293
destination_port_range="443",
294
source_address_prefix="*",
295
destination_address_prefix="*",
296
access=SecurityRuleAccess.ALLOW,
297
direction=SecurityRuleDirection.INBOUND,
298
priority=1020
299
)
300
]
301
302
# Create NSG with rules
303
nsg_params = NetworkSecurityGroup(
304
location="East US",
305
security_rules=security_rules,
306
tags={"Environment": "Production", "Purpose": "WebTier"}
307
)
308
309
# Create the NSG
310
operation = client.network_security_groups.begin_create_or_update(
311
resource_group_name="my-resource-group",
312
network_security_group_name="web-nsg",
313
parameters=nsg_params
314
)
315
nsg = operation.result()
316
317
print(f"Created NSG: {nsg.name} with {len(nsg.security_rules)} rules")
318
```
319
320
### Creating Application Security Groups
321
322
```python
323
from azure.mgmt.network.models import ApplicationSecurityGroup
324
325
# Create web tier ASG
326
web_asg_params = ApplicationSecurityGroup(
327
location="East US",
328
tags={"Tier": "Web"}
329
)
330
331
web_asg_operation = client.application_security_groups.begin_create_or_update(
332
resource_group_name="my-resource-group",
333
application_security_group_name="web-asg",
334
parameters=web_asg_params
335
)
336
web_asg = web_asg_operation.result()
337
338
# Create app tier ASG
339
app_asg_params = ApplicationSecurityGroup(
340
location="East US",
341
tags={"Tier": "Application"}
342
)
343
344
app_asg_operation = client.application_security_groups.begin_create_or_update(
345
resource_group_name="my-resource-group",
346
application_security_group_name="app-asg",
347
parameters=app_asg_params
348
)
349
app_asg = app_asg_operation.result()
350
351
print(f"Created ASGs: {web_asg.name} and {app_asg.name}")
352
```
353
354
### Using ASGs in Security Rules
355
356
```python
357
# Create security rule using ASGs
358
asg_rule = SecurityRule(
359
name="WebToApp",
360
protocol=SecurityRuleProtocol.TCP,
361
source_port_range="*",
362
destination_port_ranges=["80", "443"],
363
source_application_security_groups=[
364
{"id": web_asg.id}
365
],
366
destination_application_security_groups=[
367
{"id": app_asg.id}
368
],
369
access=SecurityRuleAccess.ALLOW,
370
direction=SecurityRuleDirection.INBOUND,
371
priority=1100
372
)
373
374
# Add rule to existing NSG
375
rule_operation = client.security_rules.begin_create_or_update(
376
resource_group_name="my-resource-group",
377
network_security_group_name="web-nsg",
378
security_rule_name="WebToApp",
379
security_rule_parameters=asg_rule
380
)
381
rule = rule_operation.result()
382
383
print(f"Created security rule: {rule.name}")
384
```
385
386
## Types
387
388
```python { .api }
389
class NetworkSecurityGroup(Resource):
390
def __init__(self, **kwargs): ...
391
security_rules: Optional[List[SecurityRule]]
392
default_security_rules: Optional[List[SecurityRule]] # Read-only
393
network_interfaces: Optional[List[NetworkInterface]] # Read-only
394
subnets: Optional[List[Subnet]] # Read-only
395
flow_logs: Optional[List[FlowLog]] # Read-only
396
resource_guid: Optional[str] # Read-only
397
provisioning_state: Optional[ProvisioningState] # Read-only
398
399
class SecurityRule(SubResource):
400
def __init__(self, **kwargs): ...
401
description: Optional[str]
402
protocol: Optional[SecurityRuleProtocol]
403
source_port_range: Optional[str]
404
destination_port_range: Optional[str]
405
source_address_prefix: Optional[str]
406
source_address_prefixes: Optional[List[str]]
407
source_application_security_groups: Optional[List[ApplicationSecurityGroup]]
408
destination_address_prefix: Optional[str]
409
destination_address_prefixes: Optional[List[str]]
410
destination_application_security_groups: Optional[List[ApplicationSecurityGroup]]
411
source_port_ranges: Optional[List[str]]
412
destination_port_ranges: Optional[List[str]]
413
access: Optional[SecurityRuleAccess]
414
priority: Optional[int]
415
direction: Optional[SecurityRuleDirection]
416
provisioning_state: Optional[ProvisioningState] # Read-only
417
418
class ApplicationSecurityGroup(Resource):
419
def __init__(self, **kwargs): ...
420
resource_guid: Optional[str] # Read-only
421
provisioning_state: Optional[ProvisioningState] # Read-only
422
423
class NetworkSecurityPerimeter(Resource):
424
def __init__(self, **kwargs): ...
425
perimeter_guid: Optional[str] # Read-only
426
description: Optional[str]
427
provisioning_state: Optional[ProvisioningState] # Read-only
428
429
# Enumerations
430
class SecurityRuleAccess(str, Enum):
431
ALLOW = "Allow"
432
DENY = "Deny"
433
434
class SecurityRuleDirection(str, Enum):
435
INBOUND = "Inbound"
436
OUTBOUND = "Outbound"
437
438
class SecurityRuleProtocol(str, Enum):
439
TCP = "Tcp"
440
UDP = "Udp"
441
ICMP = "Icmp"
442
ESP = "Esp"
443
AH = "Ah"
444
ASTERISK = "*"
445
```