Apply Network Security Perimeter to App Config

Chris S 0 Reputation points
2026-06-08T12:25:16.0866667+00:00

Hi,

I want to apply a Network Security Perimeter to Azure App Config. I am in region UK south.

Azure App Config is not shown as a 'Associable Resource Type', however the Microsoft Documentation says that this is possible (https://learn.microsoft.com/en-gb/azure/azure-app-configuration/concept-network-security-perimeter).

If I try to associate from App Config I get 'Failed to Associate' resource error, no specific error code.

Azure App Configuration
Azure App Configuration

An Azure service that provides hosted, universal storage for Azure app configurations.


1 answer

Sort by: Most helpful
  1. Rakesh Mishra 10,280 Reputation points Microsoft External Staff Moderator
    2026-06-08T14:27:13.84+00:00

    Hello Chris,

    Currently, NSP association with App Configuration is in Private preview which means it not rolled out for Public Preview yet to try. We do see the option, but it is not rolled out fully yet.  Product team confirmed below. 

    We plan to roll out the NSP feature again in a few weeks, once the NSP team finishes the rollout to mark App Configuration as public preview. 

    Also, the documentation is also updated with the same information. Please refer this - Network security perimeter for Azure App Configuration | Microsoft Learn

    It is incredibly common to look for that classic Enabled from selected virtual networks and IP addresses option. We often think of it as the "old way" because it is exactly how you configure simple network security rules in almost every other major Azure service, like Storage Accounts, Key Vaults, and Azure SQL.

    Unlike those other services, Azure App Configuration never actually built that native standalone IP firewall into its architecture. Historically, App Configuration only ever offered two extremes for network security:

    • Fully Open: Wide open to the public internet.
    • Fully Locked Down (Private Link): Shutting down public access and forcing you to use Azure Private Endpoints. This "all-or-nothing" approach meant if you wanted to secure it, you were forced into dealing with Virtual Networks, private DNS zones, and higher pricing tiers.

    Please find possible solutions at this moment. 

    1. Moving to Azure Private Endpoints (Azure Private Link) is an excellent pivot. While Network Security Perimeters (NSP) are still in a private preview state. Private Endpoints are fully Generally Available (GA), battle-tested, and considered the gold standard for production enterprise security in Azure.  
    2. Azure Front Door Premium (The Global Edge Solution): Azure Front Door Premium natively supports routing traffic to backend services over Azure Private Link. Front Door Premium carries a high base cost (~$330/month). If you are simply trying to protect a small configuration store, this might be budget prohibitive.
      How it works:
      1. Disable Public Access: You completely disable public internet access on your App Configuration store.
      2. Private Origin: You configure Azure Front Door Premium with a backend "Origin" pointing to your App Configuration store using Private Link. Front Door will send a private endpoint request that you approve in the App Configuration networking tab.
      3. WAF IP Allow List: You attach a Web Application Firewall (WAF) policy to Front Door. You create a custom WAF rule that explicitly Allows your specific IP ranges and blocks everything else at the global edge.  
    3. Azure API Management (The Developer-Friendly Solution): Azure API Management (APIM) is a fantastic, cheaper alternative for this exact scenario.
      How it works:
      1. You place APIM in front of your App Configuration API.
      2. APIM has a built-in <ip-filter> inbound policy. You literally just type your allowed IP addresses into the XML policy configuration, and APIM drops all other requests.
      3. You can use the Consumption tier (pay-per-execution) or Basic tier, making it significantly more cost-effective than Front Door for simple IP filtering.  
    4. Azure Application Gateway (The Regional Network Solution): If your traffic is entirely regional and you already have an Azure Virtual Network, Application Gateway is the standard regional reverse proxy.
      How it works:
      1. You deploy an Application Gateway with the WAF v2 SKU into your Virtual Network.
      2. You create a Private Endpoint for your App Configuration store inside that same Virtual Network.
      3. You configure the Application Gateway's WAF to enforce your IP allow list, and then it routes the approved traffic privately to the App Configuration store.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.