0
# Network Security
1
2
Management of network security perimeter configurations for enhanced security and compliance in enterprise environments. Network Security Perimeters provide advanced network isolation and access control for Azure Search services.
3
4
## Capabilities
5
6
### Network Security Perimeter Configuration Management
7
8
Manage network security perimeter configurations that define advanced network isolation rules and access policies for search services in enterprise environments.
9
10
```python { .api }
11
def list_by_service(
12
resource_group_name: str,
13
search_service_name: str,
14
**kwargs
15
) -> ItemPaged[NetworkSecurityPerimeterConfiguration]:
16
"""
17
List all network security perimeter configurations for a search service.
18
19
Parameters:
20
resource_group_name (str): Resource group name
21
search_service_name (str): Search service name
22
23
Returns:
24
ItemPaged[NetworkSecurityPerimeterConfiguration]: All NSP configurations for the service
25
26
Raises:
27
ResourceNotFoundError: Service does not exist
28
HttpResponseError: Access denied or service error
29
"""
30
31
def get(
32
resource_group_name: str,
33
search_service_name: str,
34
nsp_config_name: str,
35
**kwargs
36
) -> NetworkSecurityPerimeterConfiguration:
37
"""
38
Get a specific network security perimeter configuration.
39
40
Parameters:
41
resource_group_name (str): Resource group name
42
search_service_name (str): Search service name
43
nsp_config_name (str): Network security perimeter configuration name
44
45
Returns:
46
NetworkSecurityPerimeterConfiguration: The NSP configuration details
47
48
Raises:
49
ResourceNotFoundError: Service or configuration does not exist
50
HttpResponseError: Access denied or invalid configuration name
51
"""
52
53
def begin_reconcile(
54
resource_group_name: str,
55
search_service_name: str,
56
nsp_config_name: str,
57
**kwargs
58
) -> LROPoller[NetworkSecurityPerimeterConfiguration]:
59
"""
60
Reconcile a network security perimeter configuration to ensure compliance.
61
62
Parameters:
63
resource_group_name (str): Resource group name
64
search_service_name (str): Search service name
65
nsp_config_name (str): Configuration name to reconcile
66
67
Returns:
68
LROPoller[NetworkSecurityPerimeterConfiguration]: Long-running reconciliation operation
69
70
Raises:
71
ResourceNotFoundError: Service or configuration does not exist
72
HttpResponseError: Access denied or reconciliation failed
73
"""
74
```
75
76
**Usage Example:**
77
78
```python
79
# List all network security perimeter configurations
80
nsp_configs = client.network_security_perimeter_configurations.list_by_service(
81
resource_group_name="my-resource-group",
82
search_service_name="my-search-service"
83
)
84
85
for config in nsp_configs:
86
print(f"NSP Config: {config.name}")
87
print(f"Provisioning State: {config.properties.provisioning_state}")
88
print(f"Network Security Perimeter: {config.properties.network_security_perimeter.id}")
89
90
# Check for any provisioning issues
91
if config.properties.provisioning_issues:
92
for issue in config.properties.provisioning_issues:
93
print(f"Issue: {issue.properties.issue_type} - {issue.properties.description}")
94
95
# Get specific configuration details
96
specific_config = client.network_security_perimeter_configurations.get(
97
resource_group_name="my-resource-group",
98
search_service_name="my-search-service",
99
nsp_config_name="default-nsp-config"
100
)
101
102
print(f"Configuration: {specific_config.name}")
103
print(f"Profile: {specific_config.properties.profile.name}")
104
105
# Reconcile configuration if needed
106
if specific_config.properties.provisioning_state != "Succeeded":
107
reconcile_op = client.network_security_perimeter_configurations.begin_reconcile(
108
resource_group_name="my-resource-group",
109
search_service_name="my-search-service",
110
nsp_config_name="default-nsp-config"
111
)
112
113
# Wait for reconciliation to complete
114
reconciled_config = reconcile_op.result()
115
print(f"Reconciliation completed: {reconciled_config.properties.provisioning_state}")
116
```
117
118
## Data Models
119
120
### NetworkSecurityPerimeterConfiguration
121
122
Configuration defining network security perimeter rules and access policies for a search service.
123
124
```python { .api }
125
class NetworkSecurityPerimeterConfiguration:
126
"""
127
Network security perimeter configuration for enhanced network isolation.
128
129
Attributes:
130
id (str): Configuration resource ID
131
name (str): Configuration name
132
type (str): Resource type
133
properties (NetworkSecurityPerimeterConfigurationProperties): Configuration properties
134
"""
135
136
class NetworkSecurityPerimeterConfigurationProperties:
137
"""
138
Properties of a network security perimeter configuration.
139
140
Attributes:
141
provisioning_state (NetworkSecurityPerimeterConfigurationProvisioningState): Configuration provisioning state
142
provisioning_issues (List[ProvisioningIssue]): Any provisioning issues encountered
143
network_security_perimeter (NetworkSecurityPerimeter): Associated network security perimeter
144
resource_association (ResourceAssociation): Resource association details
145
profile (NetworkSecurityProfile): Network security profile configuration
146
"""
147
```
148
149
### NetworkSecurityPerimeter
150
151
Represents the network security perimeter that defines the security boundary.
152
153
```python { .api }
154
class NetworkSecurityPerimeter:
155
"""
156
Network security perimeter defining security boundaries.
157
158
Attributes:
159
id (str): Perimeter resource ID
160
perimeter_guid (str): Unique perimeter identifier
161
location (str): Perimeter location
162
"""
163
```
164
165
### NetworkSecurityProfile
166
167
Defines the security profile and access rules for the perimeter.
168
169
```python { .api }
170
class NetworkSecurityProfile:
171
"""
172
Network security profile containing access rules and policies.
173
174
Attributes:
175
name (str): Profile name
176
access_rules_version (int): Version of the access rules
177
access_rules (List[AccessRule]): Network access rules
178
diagnostic_settings_version (int): Diagnostic settings version
179
"""
180
```
181
182
### AccessRule
183
184
Defines specific network access rules within the security perimeter.
185
186
```python { .api }
187
class AccessRule:
188
"""
189
Network access rule defining allowed or denied traffic.
190
191
Attributes:
192
name (str): Rule name
193
properties (AccessRuleProperties): Rule properties and conditions
194
"""
195
196
class AccessRuleProperties:
197
"""
198
Properties of a network access rule.
199
200
Attributes:
201
direction (AccessRuleDirection): Traffic direction (inbound/outbound)
202
address_prefixes (List[str]): Address prefixes affected by the rule
203
subscriptions (List[AccessRulePropertiesSubscriptionsItem]): Subscription-based rules
204
network_security_perimeters (List[NetworkSecurityPerimeter]): Associated perimeters
205
fully_qualified_domain_names (List[str]): FQDN-based rules
206
email_addresses (List[str]): Email-based access rules
207
phone_numbers (List[str]): Phone-based access rules
208
"""
209
```
210
211
### ResourceAssociation
212
213
Defines how the search service is associated with the network security perimeter.
214
215
```python { .api }
216
class ResourceAssociation:
217
"""
218
Association between the search service and network security perimeter.
219
220
Attributes:
221
name (str): Association name
222
access_mode (ResourceAssociationAccessMode): Access mode for the association
223
"""
224
```
225
226
### ProvisioningIssue
227
228
Represents issues encountered during network security perimeter provisioning.
229
230
```python { .api }
231
class ProvisioningIssue:
232
"""
233
Provisioning issue encountered during NSP configuration.
234
235
Attributes:
236
name (str): Issue name
237
properties (ProvisioningIssueProperties): Issue details
238
"""
239
240
class ProvisioningIssueProperties:
241
"""
242
Properties of a provisioning issue.
243
244
Attributes:
245
issue_type (IssueType): Type of the provisioning issue
246
severity (Severity): Issue severity level
247
description (str): Detailed issue description
248
suggested_resource_ids (List[str]): Suggested resources to resolve the issue
249
suggested_access_rules (List[AccessRule]): Suggested access rules
250
"""
251
```
252
253
### Network Security Enums
254
255
```python { .api }
256
class NetworkSecurityPerimeterConfigurationProvisioningState(str, Enum):
257
"""Network security perimeter configuration provisioning states."""
258
SUCCEEDED = "succeeded"
259
FAILED = "failed"
260
CANCELED = "canceled"
261
CREATING = "creating"
262
UPDATING = "updating"
263
DELETING = "deleting"
264
265
class AccessRuleDirection(str, Enum):
266
"""Access rule direction values."""
267
INBOUND = "inbound"
268
OUTBOUND = "outbound"
269
270
class ResourceAssociationAccessMode(str, Enum):
271
"""Resource association access modes."""
272
ENFORCED = "enforced"
273
LEARNING = "learning"
274
AUDIT = "audit"
275
276
class IssueType(str, Enum):
277
"""Provisioning issue types."""
278
UNKNOWN = "unknown"
279
CONFIGURATION_PROPAGATION_FAILURE = "configuration_propagation_failure"
280
MISSING_PERIMETER_CONFIGURATION = "missing_perimeter_configuration"
281
MISSING_IDENTITY_CONFIGURATION = "missing_identity_configuration"
282
283
class Severity(str, Enum):
284
"""Issue severity levels."""
285
WARNING = "warning"
286
ERROR = "error"
287
```
288
289
## Network Security Scenarios
290
291
### Monitor Network Security Configuration
292
293
```python
294
# Check all NSP configurations for compliance
295
def monitor_nsp_compliance(resource_group: str, service_name: str):
296
configs = client.network_security_perimeter_configurations.list_by_service(
297
resource_group, service_name
298
)
299
300
compliance_issues = []
301
302
for config in configs:
303
print(f"Checking configuration: {config.name}")
304
305
# Check provisioning state
306
if config.properties.provisioning_state != "Succeeded":
307
compliance_issues.append(f"Configuration {config.name} not fully provisioned")
308
309
# Check for provisioning issues
310
if config.properties.provisioning_issues:
311
for issue in config.properties.provisioning_issues:
312
issue_msg = f"Issue in {config.name}: {issue.properties.issue_type} - {issue.properties.description}"
313
compliance_issues.append(issue_msg)
314
315
# Log severity
316
if issue.properties.severity == "error":
317
print(f"ERROR: {issue_msg}")
318
else:
319
print(f"WARNING: {issue_msg}")
320
321
return compliance_issues
322
323
# Run compliance check
324
issues = monitor_nsp_compliance("my-rg", "my-search-service")
325
if not issues:
326
print("All NSP configurations are compliant")
327
else:
328
print(f"Found {len(issues)} compliance issues")
329
```
330
331
### Reconcile Network Security Configuration
332
333
```python
334
# Reconcile configurations that have issues
335
def reconcile_nsp_issues(resource_group: str, service_name: str):
336
configs = client.network_security_perimeter_configurations.list_by_service(
337
resource_group, service_name
338
)
339
340
reconciliation_operations = []
341
342
for config in configs:
343
needs_reconciliation = (
344
config.properties.provisioning_state != "Succeeded" or
345
config.properties.provisioning_issues
346
)
347
348
if needs_reconciliation:
349
print(f"Starting reconciliation for {config.name}")
350
351
reconcile_op = client.network_security_perimeter_configurations.begin_reconcile(
352
resource_group, service_name, config.name
353
)
354
reconciliation_operations.append((config.name, reconcile_op))
355
356
# Wait for all reconciliations to complete
357
for config_name, operation in reconciliation_operations:
358
try:
359
result = operation.result()
360
print(f"Reconciliation completed for {config_name}: {result.properties.provisioning_state}")
361
except Exception as e:
362
print(f"Reconciliation failed for {config_name}: {e}")
363
364
# Run reconciliation
365
reconcile_nsp_issues("my-rg", "my-search-service")
366
```
367
368
### Analyze Network Security Rules
369
370
```python
371
# Analyze access rules in NSP configurations
372
def analyze_access_rules(resource_group: str, service_name: str):
373
configs = client.network_security_perimeter_configurations.list_by_service(
374
resource_group, service_name
375
)
376
377
for config in configs:
378
print(f"\nAnalyzing access rules for {config.name}:")
379
380
if config.properties.profile and config.properties.profile.access_rules:
381
for rule in config.properties.profile.access_rules:
382
print(f" Rule: {rule.name}")
383
print(f" Direction: {rule.properties.direction}")
384
385
if rule.properties.address_prefixes:
386
print(f" Address Prefixes: {rule.properties.address_prefixes}")
387
388
if rule.properties.fully_qualified_domain_names:
389
print(f" FQDNs: {rule.properties.fully_qualified_domain_names}")
390
391
if rule.properties.subscriptions:
392
print(f" Subscriptions: {len(rule.properties.subscriptions)} defined")
393
else:
394
print(" No access rules defined")
395
396
# Analyze current rules
397
analyze_access_rules("my-rg", "my-search-service")
398
```