[AppConfig] az appconfig create\update\network-security-perimeter-configuration: Add NSP support#33407
Merged
VeryEarly merged 6 commits intoMay 20, 2026
Conversation
added 6 commits
May 20, 2026 08:58
- Bump azure-mgmt-appconfiguration in setup.py / requirements - Re-record impacted appconfig test recordings against the new SDK version - Update non-NSP test files for new SDK
- Bump azure-mgmt-appconfiguration in setup.py / requirements - Re-record impacted appconfig test recordings against the new SDK version - Update non-NSP test files for new SDK
…Add commands to list, show, and reconcile network security perimeter configurations (preview) - Add --public-network-access argument (Disabled|Enabled|SecuredByPerimeter) on appconfig create/update; deprecate --enable-public-network - Add validate_public_network_args validator - Add network-security-perimeter-configuration command group with list/show/reconcile - Add tests and recordings for --public-network-access and NSP commands
️✔️AzureCLI-FullTest
|
|
Hi @ChristineWanjau, |
|
Validation for Breaking Change Starting...
Thanks for your contribution! |
microsoft-github-policy-service
Bot
requested review from
avanigupta,
jsntcy,
kairu-ms,
yanzhudd,
yonzhan and
zhoxing-ms
Contributor
Author
|
The changes have already been reviewed #33301 . The PR was too large to open. |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds Azure Network Security Perimeter (NSP) support to the appconfig command module by introducing new preview commands to manage NSP configurations on App Configuration stores, and by adding a new --public-network-access parameter to az appconfig create/update (with the legacy --enable-public-network being deprecated).
Changes:
- Added
az appconfig network-security-perimeter-configuration(list/show/reconcile) as a preview command group backed by a new client factory and table output formatting. - Introduced
--public-network-access (Enabled|Disabled|SecuredByPerimeter)foraz appconfig create/update, deprecated--enable-public-network, and enforced mutual exclusivity. - Updated/added scenario tests and refreshed a recording to cover the new public network access behavior.
Reviewed changes
Copilot reviewed 11 out of 17 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_nsp_commands.py | Adds a live-only scenario test covering NSP configuration list/show/reconcile flows. |
| src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_mgmt_commands.py | Extends management-plane tests to validate --public-network-access values and mutual exclusivity. |
| src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/recordings/test_azconfig_appinsights.yaml | Updates a recording to reflect updated request/response payload ordering/content. |
| src/azure-cli/azure/cli/command_modules/appconfig/network_security_perimeter.py | Implements custom operations for NSP configuration list/show/reconcile. |
| src/azure-cli/azure/cli/command_modules/appconfig/custom.py | Wires public_network_access into create/update and enforces mutual exclusivity with deprecated flag. |
| src/azure-cli/azure/cli/command_modules/appconfig/commands.py | Registers the new preview NSP command group and hooks up formatting + client factory. |
| src/azure-cli/azure/cli/command_modules/appconfig/_validators.py | Adds validation for mutual exclusivity and emits a preview warning for SecuredByPerimeter. |
| src/azure-cli/azure/cli/command_modules/appconfig/_params.py | Deprecates --enable-public-network and adds the new --public-network-access argument + NSP args. |
| src/azure-cli/azure/cli/command_modules/appconfig/_help.py | Adds help entries and examples for the new NSP command group. |
| src/azure-cli/azure/cli/command_modules/appconfig/_format.py | Adds table output formatting for NSP configuration objects. |
| src/azure-cli/azure/cli/command_modules/appconfig/_client_factory.py | Adds a client factory for the NSP configurations operation group. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+20
to
+23
| @live_only() | ||
| @ResourceGroupPreparer(parameter_name_for_location='location') | ||
| @AllowLargeResponse(size_kb=99999) | ||
| def test_azconfig_nsp_mgmt(self, resource_group, location): |
Comment on lines
+66
to
+69
| if public_network_access is not None and enable_public_network is not None: | ||
| raise MutuallyExclusiveArgumentError("Cannot specify both '--enable-public-network' and '--public-network-access'. " | ||
| "Please use '--public-network-access' as '--enable-public-network' has been deprecated.") | ||
|
|
Comment on lines
+28
to
+31
| except ResourceNotFoundError: | ||
| raise ResourceNotFoundError( | ||
| "The network security perimeter configuration '{}' for App Configuration '{}' was not found.".format( | ||
| name, store_name)) |
VeryEarly
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az appconfig network-security-perimeter-configuration list/show/reconcile
az appconfig create/update --public-network-access
Description
Adds support for Azure Network Security Perimeter (NSP) on App Configuration stores.
az appconfig network-security-perimeter-configuration
list — List all NSP configurations associated with an App Configuration store.
show — Show a specific NSP configuration by name.
reconcile — Force a refresh of the specified NSP configuration.
New parameter on az appconfig create / az appconfig update
--public-network-access (Disabled | Enabled | SecuredByPerimeter) — Controls data-plane traffic from public networks. SecuredByPerimeter is required when associating the store with a Network Security Perimeter and is currently in preview.
--enable-public-network / -e is deprecated in favor of --public-network-access. The two arguments are mutually exclusive; a clear error is raised if both are provided
Testing Guide
History Notes
[AppConfig]
az appconfig create\update\network-security-perimeter-configuration: Add NSP supportThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.