# AzureNetworkSecurityPerimeterExtensions Methods - Package: [Aspire.Hosting.Azure.Network](/reference/api/csharp/aspire.hosting.azure.network.md) - Type: [AzureNetworkSecurityPerimeterExtensions](/reference/api/csharp/aspire.hosting.azure.network/azurenetworksecurityperimeterextensions.md) - Kind: `Methods` - Members: `3` Provides extension methods for adding Azure Network Security Perimeter resources to the application model. ## AddNetworkSecurityPerimeter(IDistributedApplicationBuilder, string) - Name: `AddNetworkSecurityPerimeter(IDistributedApplicationBuilder, string)` - Modifiers: `extension` - Returns: `IResourceBuilder` - Source: [GitHub](https://github.com/microsoft/aspire/blob/cbc352350f1a9bafbaff10d14a2c8de4ac186a48/src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterExtensions.cs#L38-L50) Adds an Azure Network Security Perimeter to the application model. ```csharp public static class AzureNetworkSecurityPerimeterExtensions { public static IResourceBuilder AddNetworkSecurityPerimeter( this IDistributedApplicationBuilder builder, string name) { // ... } } ``` ## Parameters - `builder` (`IDistributedApplicationBuilder`) The builder for the distributed application. - `name` (`string`) The name of the Network Security Perimeter resource. ## Returns `IResourceBuilder` -- A reference to the `ApplicationModel.IResourceBuilder`1`. ## Examples This example adds a Network Security Perimeter and associates a storage resource: ```csharp var nsp = builder.AddNetworkSecurityPerimeter("my-nsp"); var storage = builder.AddAzureStorage("storage"); storage.WithNetworkSecurityPerimeter(nsp); ``` ## ATS metadata ### ATS export - Available to Polyglot AppHosts through the Aspire Type System. ## WithAccessRule(IResourceBuilder, AzureNspAccessRule) - Name: `WithAccessRule(IResourceBuilder, AzureNspAccessRule)` - Modifiers: `extension` - Returns: `IResourceBuilder` - Source: [GitHub](https://github.com/microsoft/aspire/blob/cbc352350f1a9bafbaff10d14a2c8de4ac186a48/src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterExtensions.cs#L83-L95) Adds an access rule to the Network Security Perimeter. ```csharp public static class AzureNetworkSecurityPerimeterExtensions { public static IResourceBuilder WithAccessRule( this IResourceBuilder builder, AzureNspAccessRule rule) { // ... } } ``` ## Parameters - `builder` (`IResourceBuilder`) The Network Security Perimeter resource builder. - `rule` ([AzureNspAccessRule](/reference/api/csharp/aspire.hosting.azure.network/azurenspaccessrule.md)) The access rule configuration. ## Returns `IResourceBuilder` -- A reference to the `ApplicationModel.IResourceBuilder`1` for chaining. ## Examples This example adds inbound and outbound access rules: ```csharp var nsp = builder.AddNetworkSecurityPerimeter("my-nsp") .WithAccessRule(new AzureNspAccessRule { Name = "allow-my-ip", Direction = NetworkSecurityPerimeterAccessRuleDirection.Inbound, AddressPrefixes = { "203.0.113.0/24" } }) .WithAccessRule(new AzureNspAccessRule { Name = "allow-outbound-fqdn", Direction = NetworkSecurityPerimeterAccessRuleDirection.Outbound, FullyQualifiedDomainNames = { "*.blob.core.windows.net" } }); ``` ## ATS metadata ### ATS export - Available to Polyglot AppHosts through the Aspire Type System. ## WithNetworkSecurityPerimeter(IResourceBuilder, IResourceBuilder, NetworkSecurityPerimeterAssociationAccessMode, string?) - Name: `WithNetworkSecurityPerimeter(IResourceBuilder, IResourceBuilder, NetworkSecurityPerimeterAssociationAccessMode, string?)` - Modifiers: `extension` - Returns: `IResourceBuilder` - Source: [GitHub](https://github.com/microsoft/aspire/blob/cbc352350f1a9bafbaff10d14a2c8de4ac186a48/src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityPerimeterExtensions.cs#L141-L158) Associates an Azure PaaS resource with a Network Security Perimeter. ```csharp public static class AzureNetworkSecurityPerimeterExtensions { public static IResourceBuilder WithNetworkSecurityPerimeter( this IResourceBuilder target, IResourceBuilder nsp, NetworkSecurityPerimeterAssociationAccessMode accessMode = NetworkSecurityPerimeterAssociationAccessMode.Enforced, string? associationName = null) { // ... } } ``` ## Parameters - `target` (`IResourceBuilder`) The target PaaS resource builder to associate. - `nsp` (`IResourceBuilder`) The Network Security Perimeter to associate with. - `accessMode` (`NetworkSecurityPerimeterAssociationAccessMode`) `optional` The access mode for the association. Defaults to `NetworkSecurityPerimeterAssociationAccessMode.Enforced`. Use `NetworkSecurityPerimeterAssociationAccessMode.Learning` to log violations without blocking traffic. - `associationName` (`string?`) `optional` An optional name for the association. If not provided, defaults to `"{resourceName}-assoc"`. ## Returns `IResourceBuilder` -- A reference to the target resource builder for chaining. ## Remarks In `NetworkSecurityPerimeterAssociationAccessMode.Enforced` mode, resources within the perimeter can communicate with each other, but public access is restricted to the rules defined in the perimeter profile. In `NetworkSecurityPerimeterAssociationAccessMode.Learning` mode, traffic that would be blocked by the perimeter rules is logged but not denied. This is useful when onboarding resources to identify required access rules before switching to enforced mode. ## Examples This example associates storage and key vault resources with an NSP: ```csharp var nsp = builder.AddNetworkSecurityPerimeter("my-nsp"); var storage = builder.AddAzureStorage("storage"); var keyVault = builder.AddAzureKeyVault("kv"); storage.WithNetworkSecurityPerimeter(nsp); keyVault.WithNetworkSecurityPerimeter(nsp, NetworkSecurityPerimeterAssociationAccessMode.Learning); ``` ## ATS metadata ### ATS export - Available to Polyglot AppHosts through the Aspire Type System.