Network Security Perimeter Configurations

Network Security Perimeter (NSP) configurations allow users to manage perimeter-based network access to a resource. Resource providers that support NSP configurations must declare an NSP configuration resource type in their provider namespace and use the standard NspConfigurations interface to expose operations.

Note

Network Security Perimeter configurations require common types version v5 or later. Make sure your service version is configured with @armCommonTypesVersion(Azure.ResourceManager.CommonTypes.Versions.v5) or a later version.

Defining an NSP Configuration Resource

To define an NSP configuration resource, create a model in your provider namespace that extends NspConfiguration:

model NetworkSecurityPerimeterConfiguration is Azure.ResourceManager.NspConfiguration;

Defining NSP Configuration Operations

Create an alias for your NSP configuration operations using the NspConfigurations template:

alias NspConfigurationOps = Azure.ResourceManager.NspConfigurations<NetworkSecurityPerimeterConfiguration>;

Adding NSP Configuration Operations to Your Resource Interface

Add NSP configuration operations to your resource interface using the operations alias:

@armResourceOperations
interface Employees {
  // ... other resource operations ...
  getNsp is NspConfigurationOps.Read<Employee>;
  listNsp is NspConfigurationOps.ListByParent<Employee>;
}

Available Operations

The NspConfigurations interface provides the following operations:

Operation	Description	TypeSpec Representation
Read	Get a single NSP configuration	get is Ops.Read<ParentResource>;
ListByParent	List NSP configurations for a parent resource	list is Ops.ListByParent<ParentResource>;
Action	Perform a synchronous action on an NSP config	action is Ops.Action<Parent, Req, Resp>;
ActionAsync	Perform an asynchronous action on an NSP config	action is Ops.ActionAsync<Parent, Req, Resp>;

Complete Example

The following example shows a complete service with NSP configuration support:

Network Security Perimeter

Sample specification for a network security perimeter resource.

Try it

main.tsp

import "@typespec/rest";
import "@typespec/versioning";
import "@azure-tools/typespec-azure-core";
import "@azure-tools/typespec-azure-resource-manager";

using Rest;
using Versioning;
using Azure.Core;
using Azure.ResourceManager;

/** Contoso Resource Provider management API. */
@armProviderNamespace
@service(#{ title: "ContosoProviderHubClient" })
@versioned(Versions)
namespace Microsoft.ContosoProviderHub;

/** Contoso API versions */
enum Versions {
  /** 2021-10-01-preview version */
  @armCommonTypesVersion(Azure.ResourceManager.CommonTypes.Versions.v5)
  @previewVersion
  `2025-11-19-preview`,
}

// For more information about the proxy vs tracked,
// see https://armwiki.azurewebsites.net/rp_onboarding/tracked_vs_proxy_resources.html?q=proxy%20resource
/** A ContosoProviderHub resource */
model Employee is TrackedResource<EmployeeProperties> {
  ...ResourceNameParameter<Employee>;
}

/** Employee properties */
model EmployeeProperties {
  /** Age of employee */
  age?: int32;

  /** City of employee */
  city?: string;

  /** Profile of employee */
  @encode("base64url")
  profile?: bytes;

  /** The status of the last operation. */
  @visibility(Lifecycle.Read)
  provisioningState?: ProvisioningState;
}

/** The provisioning state of a resource. */
@lroStatus
union ProvisioningState {
  ResourceProvisioningState,

  /** The resource is being provisioned */
  Provisioning: "Provisioning",

  /** The resource is updating */
  Updating: "Updating",

  /** The resource is being deleted */
  Deleting: "Deleting",

  /** The resource create request has been accepted */
  Accepted: "Accepted",

  string,
}

interface Operations extends Azure.ResourceManager.Operations {}
model NetworkSecurityPerimeterConfiguration is Azure.ResourceManager.NspConfiguration;
alias NspConfigurationOperations = Azure.ResourceManager.NspConfigurations<NetworkSecurityPerimeterConfiguration>;

@armResourceOperations
interface Employees {
  get is ArmResourceRead<Employee>;
  createOrUpdate is ArmResourceCreateOrReplaceAsync<Employee>;
  update is ArmCustomPatchSync<
    Employee,
    Azure.ResourceManager.Foundations.ResourceUpdateModel<Employee, EmployeeProperties>
  >;
  delete is ArmResourceDeleteSync<Employee>;
  listByResourceGroup is ArmResourceListByParent<Employee>;
  listBySubscription is ArmListBySubscription<Employee>;
  /** A sample resource action that move employee to different location */
  move is ArmResourceActionSync<Employee, MoveRequest, MoveResponse>;

  /** A sample HEAD operation to check resource existence */
  checkExistence is ArmResourceCheckExistence<Employee>;

  /** Get a Network Security Perimeter Configuration for this employee */
  getNsp is NspConfigurationOperations.Read<Employee>;
  /** List the Network Security Perimeters for this employee */
  listNsp is NspConfigurationOperations.ListByParent<Employee>;
}

/** Employee move request */
model MoveRequest {
  /** The moving from location */
  from: string;

  /** The moving to location */
  to: string;
}

/** Employee move response */
model MoveResponse {
  /** The status of the move */
  movingStatus: string;
}

@armResourceOperations
interface Dependents {
  get is ArmResourceRead<Dependent>;
  createOrUpdate is ArmResourceCreateOrReplaceAsync<Dependent>;
  update is ArmCustomPatchSync<
    Dependent,
    Azure.ResourceManager.Foundations.ResourceUpdateModel<Dependent, DependentProperties>
  >;
  delete is ArmResourceDeleteSync<Dependent>;
  list is ArmResourceListByParent<Dependent>;
  getNsp is NspConfigurationOperations.Read<Dependent>;
  listNsps is NspConfigurationOperations.ListByParent<Dependent>;
}

/** An employee dependent */
@parentResource(Employee)
model Dependent is ProxyResource<DependentProperties> {
  ...ResourceNameParameter<Dependent>;
}

/** Dependent properties */
model DependentProperties {
  /** Age of dependent */
  age: int32;

  /** Gender of dependent */
  gender: string;

  /** The status of the last operation. */
  @visibility(Lifecycle.Read)
  provisioningState?: ProvisioningState;
}

Using NSP Configurations with Child Resources

NSP configuration operations can also be used with child resources. You can reuse the same operations alias across multiple resource interfaces:

@parentResource(Employee)
model Dependent is ProxyResource<DependentProperties> {
  ...ResourceNameParameter<Dependent>;
}

@armResourceOperations
interface Dependents {
  get is ArmResourceRead<Dependent>;
  createOrUpdate is ArmResourceCreateOrReplaceAsync<Dependent>;
  delete is ArmResourceDeleteSync<Dependent>;
  list is ArmResourceListByParent<Dependent>;

  // Reuse the same NSP configuration operations alias
  getNsp is NspConfigurationOps.Read<Dependent>;
  listNsp is NspConfigurationOps.ListByParent<Dependent>;
}