Skip to content

Add Azure Network Security Perimeter (NSP) support#15711

Open
eerhardt wants to merge 7 commits intomicrosoft:mainfrom
eerhardt:AddNSPs
Open

Add Azure Network Security Perimeter (NSP) support#15711
eerhardt wants to merge 7 commits intomicrosoft:mainfrom
eerhardt:AddNSPs

Conversation

@eerhardt
Copy link
Copy Markdown
Member

@eerhardt eerhardt commented Mar 30, 2026
edited
Loading

Description

Implement NSP resources for securing PaaS services (Storage, Key Vault, Cosmos DB, SQL) within a logical network boundary. NSPs are the PaaS-layer equivalent of VNets/NSGs, grouping resources so they can communicate internally while restricting public access via access rules.

New APIs:

  • AddNetworkSecurityPerimeter() - creates an NSP with a default profile
  • WithAccessRule() - adds inbound/outbound rules (IP prefixes, subscriptions, FQDNs)
  • AssociateWith() - explicitly associates a PaaS resource with an NSP

New types:

  • AzureNetworkSecurityPerimeterResource
  • AzureNspAccessRule (DTO for rule configuration)
  • IAzureNspAssociationTarget (implemented by Storage, KeyVault, CosmosDB, SQL)

Associations use Enforced access mode by default. Generated Bicep targets the 2025-05-01 API version via Azure.Provisioning.Network 1.1.0-beta.2.

Checklist

  • Is this feature complete?
    • Yes
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • No
  • Does the change require an update in our Aspire docs?

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15711

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15711"

eerhardt and others added 2 commits April 6, 2026 16:56
@eerhardt
Add Azure Network Security Perimeter (NSP) support
5ab7a80 
Implement NSP resources for securing PaaS services (Storage, Key Vault,
Cosmos DB, SQL) within a logical network boundary. NSPs are the PaaS-layer
equivalent of VNets/NSGs, grouping resources so they can communicate
internally while restricting public access via access rules.

New APIs:
- AddNetworkSecurityPerimeter() - creates an NSP with a default profile
- WithAccessRule() - adds inbound/outbound rules (IP prefixes, subscriptions,
  FQDNs, service tags)
- AssociateWith() - explicitly associates a PaaS resource with an NSP
- AssociateAllPaaSResources() - auto-associates all IAzureNspAssociationTarget
  resources in the app model

New types:
- AzureNetworkSecurityPerimeterResource
- AzureNspAccessRule (DTO for rule configuration)
- IAzureNspAssociationTarget (implemented by Storage, KeyVault, CosmosDB, SQL)
- NspAssociationTargetAnnotation (for provisioning dependency ordering)

Associations use Enforced access mode by default. Generated Bicep targets
the 2025-05-01 API version via Azure.Provisioning.Network 1.1.0-beta.2.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@eerhardt
Remove unnecessary code.
55c5a91
@eerhardt eerhardt marked this pull request as ready for review April 7, 2026 21:29
Copilot AI review requested due to automatic review settings April 7, 2026 21:29
@eerhardt eerhardt mentioned this pull request Apr 7, 2026
Open
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial Azure Network Security Perimeter (NSP) support to Aspire’s Azure hosting model so AppHosts can define an NSP, configure access rules, and associate eligible Azure resources for deployment-time perimeter enforcement.

Changes:

  • Introduces AddNetworkSecurityPerimeter, WithAccessRule, and AssociateWith APIs plus new NSP resource/DTO types.
  • Extends several Azure resource types to be NSP-association targets and adds missing id outputs to generated Bicep where needed.
  • Updates Azure.Network README and refreshes package versions (notably Azure.Provisioning.Network and Azure.Core) to support the new ARM API surface.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
tests/Aspire.Hosting.Azure.Tests/Snapshots/FoundryExtensionsTests.AddFoundry_GeneratesValidBicep#00.verified.bicep Snapshot update to include id output for Foundry.
tests/Aspire.Hosting.Azure.Tests/Snapshots/ExistingAzureResourceTests.SupportsExistingLogAnalyticsWithResourceGroup.verified.bicep Snapshot update to include id output for existing Log Analytics workspace.
tests/Aspire.Hosting.Azure.Tests/Snapshots/ExistingAzureResourceTests.SupportsExistingAzureOpenAIWithResourceGroup.verified.bicep Snapshot update to include id output for existing Azure OpenAI resource.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureOpenAIExtensionsTests.AddAzureOpenAI_overrideLocalAuthDefault=True_useObsoleteApis=True.verified.bicep Snapshot update to include id output for Azure OpenAI.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureOpenAIExtensionsTests.AddAzureOpenAI_overrideLocalAuthDefault=True_useObsoleteApis=False.verified.bicep Snapshot update to include id output for Azure OpenAI.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureOpenAIExtensionsTests.AddAzureOpenAI_overrideLocalAuthDefault=False_useObsoleteApis=True.verified.bicep Snapshot update to include id output for Azure OpenAI.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureOpenAIExtensionsTests.AddAzureOpenAI_overrideLocalAuthDefault=False_useObsoleteApis=False.verified.bicep Snapshot update to include id output for Azure OpenAI.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_WithSubscriptionRule_GeneratesCorrectBicep.verified.bicep New snapshot validating subscription-based access rule emission.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_WithStorageAssociation_GeneratesCorrectBicep.verified.bicep New snapshot validating NSP association emission.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_WithParameterBasedAccessRules_GeneratesCorrectBicep.verified.bicep New snapshot validating parameter-based rule references.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_WithMultipleAssociations_GeneratesCorrectBicep.verified.bicep New snapshot validating multiple associations and access-mode variants.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_WithAccessRules_GeneratesCorrectBicep.verified.bicep New snapshot validating basic inbound/outbound rule emission.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureNetworkSecurityPerimeterExtensionsTests.AddNetworkSecurityPerimeter_GeneratesCorrectBicep.verified.bicep New snapshot validating baseline NSP + default profile.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureLogAnalyticsWorkspaceExtensionsTests.AddLogAnalyticsWorkspace.verified.bicep Snapshot update to include id output for Log Analytics workspace.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureContainerAppsTests.ContainerAppEnvironmentWithCustomWorkspace#02.verified.bicep Snapshot update to include id output for custom workspace.
tests/Aspire.Hosting.Azure.Tests/AzureNetworkSecurityPerimeterExtensionsTests.cs New unit/snapshot tests covering NSP creation, rules, and associations.
src/Aspire.Hosting.Foundry/FoundryResource.cs Marks Foundry as NSP-association-capable and exposes Id output reference.
src/Aspire.Hosting.Foundry/FoundryExtensions.cs Adds id provisioning output for Foundry Bicep module.
src/Aspire.Hosting.Azure/IAzureNspAssociationTarget.cs New interface to model resources that can be associated to an NSP.
src/Aspire.Hosting.Azure/AzureResourcePreparer.cs Minor formatting-only change in preparer logic.
src/Aspire.Hosting.Azure.Storage/AzureStorageResource.cs Implements NSP association target interface (uses existing Id output reference).
src/Aspire.Hosting.Azure.Sql/AzureSqlServerResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.ServiceBus/AzureServiceBusResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.Search/AzureSearchResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.OperationalInsights/AzureLogAnalyticsWorkspaceResource.cs Implements NSP association target interface and exposes Id output reference.
src/Aspire.Hosting.Azure.OperationalInsights/AzureLogAnalyticsWorkspaceExtensions.cs Adds id provisioning output for Log Analytics workspace Bicep module.
src/Aspire.Hosting.Azure.Network/README.md Documents NSP usage in the Azure.Network hosting README.
src/Aspire.Hosting.Azure.Network/AzureNspAccessRule.cs New DTO for expressing NSP access-rule configuration.
src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterResource.cs New resource type representing an NSP, including rule/association storage.
src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterExtensions.cs Core NSP APIs + Bicep generation for NSP/profile/rules/associations.
src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs Implements NSP association target interface.
src/Aspire.Hosting.Azure.CognitiveServices/AzureOpenAIResource.cs Implements NSP association target interface and exposes Id output reference.
src/Aspire.Hosting.Azure.CognitiveServices/AzureOpenAIExtensions.cs Adds id provisioning output for Azure OpenAI Bicep module.
Directory.Packages.props Bumps Azure.Provisioning.Network and Azure.Core versions needed for NSP support.

@github-actions github-actions bot mentioned this pull request Apr 7, 2026
Open
eerhardt
eerhardt commented Apr 7, 2026
View reviewed changes
src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterExtensions.cs
Comment on lines +178 to +185
// Create a default profile
var profileIdentifier = Infrastructure.NormalizeBicepIdentifier($"{nsp.BicepIdentifier}_profile");
var profile = new NetworkSecurityPerimeterProfile(profileIdentifier)
{
Name = "defaultProfile",
Parent = nsp,
};
infra.Add(profile);
Copy link
Copy Markdown
Member Author

@eerhardt eerhardt Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: I'm not currently publicly modeling a "profile" child resource. I'm not sure it is necessary for most usages.

We can easily add it in the future, and keep the existing easy APIs - the existing APIs will still apply to the "default" profile.

Let me know if you think this is a mistake.

@eerhardt eerhardt requested a review from davidfowl April 7, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sebastienros sebastienros Awaiting requested review from sebastienros sebastienros is a code owner

@mitchdenny mitchdenny Awaiting requested review from mitchdenny mitchdenny is a code owner

@davidfowl davidfowl Awaiting requested review from davidfowl

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eerhardt