Add NSP article for Service Bus and update related docs

EldertGrootenboerMS · EldertGrootenboerMS · commit e1aa6b6c2515 · 2026-01-15T11:42:57.000-08:00
diff --git a/articles/private-link/network-security-perimeter-concepts.md b/articles/private-link/network-security-perimeter-concepts.md
@@ -96,6 +96,7 @@ A network security perimeter-aware private link resource is a PaaS resource that
 | [Cosmos DB](/azure/cosmos-db/how-to-configure-nsp)                | Microsoft.DocumentDB/databaseAccounts | - |
 | [Event Hubs](/azure/event-hubs/network-security-perimeter)                | Microsoft.EventHub/namespaces | - |
 | [Key Vault](/azure/key-vault/general/network-security#network-security-perimeter-preview)                 | Microsoft.KeyVault/vaults | - |
+| [Service Bus](/azure/service-bus-messaging/network-security-perimeter)              | Microsoft.ServiceBus/namespaces | - |
 | [SQL DB](/azure/azure-sql/database/network-security-perimeter)                    | Microsoft.Sql/servers | - |
 | [Storage](/azure/storage/common/storage-network-security#network-secuirty-perimeter-preview)               | Microsoft.Storage/storageAccounts | - |
 | [Azure OpenAI service](/azure/ai-services/openai/how-to/network-security-perimeter) | Microsoft.CognitiveServices | - |
diff --git a/articles/service-bus-messaging/TOC.yml b/articles/service-bus-messaging/TOC.yml
@@ -176,6 +176,8 @@
       href: ./security-controls-policy.md
     - name: Network security
       href: network-security.md
+    - name: Network security perimeter
+      href: network-security-perimeter.md
   - name: Integration with other services
     items:
     - name: Azure Service Bus and Azure Event Grid integration
diff --git a/articles/service-bus-messaging/network-security-perimeter.md b/articles/service-bus-messaging/network-security-perimeter.md
@@ -1,7 +1,7 @@
 ---
 title: Network Security Perimeter
 titleSuffix: Azure Service Bus
-description: Overview of Network Security Perimeter feature for Service Bus
+description: Learn how to associate an Azure Service Bus namespace with a network security perimeter
 ms.reviewer: spelluru
 ms.date: 01/15/2026
 author: EldertGrootenboer
@@ -11,26 +11,48 @@ ms.custom:
 ---
 
 
-# Network Security Perimeter for Azure Service Bus
+# Network security perimeter for Azure Service Bus
 
-[Azure Service Bus](./service-bus-messaging-overview.md) supports integration with [Network Security Perimeter](../private-link/network-security-perimeter-concepts.md).
+[Azure Service Bus](./service-bus-messaging-overview.md) supports integration with [network security perimeter](../private-link/network-security-perimeter-concepts.md).
 
-The Network Security Perimeter safeguards network traffic between Azure Service Bus and other Platform as a Service (PaaS) offerings like Azure Key Vault. By confining communication solely to Azure resources within its boundaries, it blocks unauthorized attempts to access resources beyond its secure perimeter.
+Network security perimeter safeguards network traffic between Azure Service Bus and other Platform as a Service (PaaS) offerings like Azure Key Vault. By confining communication solely to Azure resources within its boundaries, it blocks unauthorized attempts to access resources beyond its secure perimeter.
+
+With a network security perimeter:
+
+- PaaS resources associated with a specific perimeter can, by default, only communicate with other PaaS resources within the same perimeter.
+- You can actively permit external inbound and outbound communication by setting explicit access rules.
+- [Diagnostic logs](../private-link/network-security-perimeter-diagnostic-logs.md) are enabled for PaaS resources within perimeter for audit and compliance.
 
 Integrating Service Bus within this framework enhances messaging capabilities while ensuring robust security measures. This integration not only provides a reliable and scalable platform but also strengthens data protection strategies, mitigating risks associated with unauthorized access or data breaches.
 
-Operating as a service under Azure Private Link, the Network Security Perimeter facilitates secure communication for PaaS services deployed outside the virtual network. It enables seamless interaction among PaaS services within the perimeter and facilitates communication with external resources through carefully configured access rules. Additionally, it supports outbound resources such as Azure Key Vault for customer-managed keys (CMK), further enhancing its versatility and utility in diverse cloud environments.
+Operating as a service under Azure Private Link, network security perimeter facilitates secure communication for PaaS services deployed outside the virtual network. It enables seamless interaction among PaaS services within the perimeter and facilitates communication with external resources through carefully configured access rules. Additionally, it supports outbound resources such as Azure Key Vault for customer-managed keys (CMK), further enhancing its versatility and utility in diverse cloud environments.
+
+## Network security perimeter scenarios in Service Bus
+
+Azure Service Bus supports scenarios that require access to other PaaS resources:
+
+- **Customer-managed keys (CMK)** require communication with Azure Key Vault. For more information, see [Configure customer-managed keys for encrypting Azure Service Bus data at rest](configure-customer-managed-key.md).
 
 > [!NOTE]
-> Network Security Perimeter doesn't support [Azure Service Bus Geo-Replication](./service-bus-geo-replication.md).
+> - Network security perimeter doesn't support [Azure Service Bus geo-replication](./service-bus-geo-replication.md).
+> - Network security perimeter rules don't govern private link traffic through [private endpoints](../private-link/private-endpoint-overview.md).
 
-## Associate Service Bus with a Network Security Perimeter in the Azure portal
-1. Search for "Network Security Perimeter" in the portal search bar. Select **Create** to create the resource.
-1. Enter a name and region, and choose the subscription.
-1. Under the **Resources** section, select **Associate**. Navigate to the Service Bus namespace you want to add. 
+## Create a network security perimeter
+
+Create your own network security perimeter resource using [Azure portal](../private-link/create-network-security-perimeter-portal.md), [PowerShell](../private-link/create-network-security-perimeter-powershell.md), or [Azure CLI](../private-link/create-network-security-perimeter-cli.md).
+
+## Associate Service Bus with a network security perimeter in the Azure portal
+
+1. Go to your network security perimeter resource in the Azure portal.
+1. Select **Resources** from the left menu.
+1. Select **Associate** to add a new resource association.
+1. Search for and select the Service Bus namespace you want to add.
+1. Select a profile to associate with the namespace and select **Associate**.
 
 ## Related content
-- For an overview of [Network Security Perimeter](../private-link/network-security-perimeter-concepts.md)
-- For monitoring with [diagnostic logs in Network Security Perimeter](../private-link/network-security-perimeter-diagnostic-logs.md)
-- For other Service Bus security features, see [Network security for Azure Service Bus](./network-security.md)
-- For additional information on using private endpoints, see [Allow access to Azure Service Bus namespaces via private endpoints](./private-link-service.md)
+
+- [Network security perimeter concepts](../private-link/network-security-perimeter-concepts.md)
+- [Diagnostic logs in network security perimeter](../private-link/network-security-perimeter-diagnostic-logs.md)
+- [Network security for Azure Service Bus](./network-security.md)
+- [Allow access to Azure Service Bus namespaces via private endpoints](./private-link-service.md)
+- [Configure customer-managed keys for Azure Service Bus](configure-customer-managed-key.md)
diff --git a/articles/service-bus-messaging/network-security.md b/articles/service-bus-messaging/network-security.md
@@ -81,6 +81,11 @@ For more information, see [What is Azure Private Link?](../private-link/private-
 
 For more information, see [How to configure private endpoints for a Service Bus namespace](private-link-service.md)
 
+## Network security perimeter
+
+Another way to secure your Service Bus namespace is to include it in a network security perimeter. A network security perimeter establishes a logical boundary for PaaS resources, restricting communication to resources within the perimeter and controlling public access through explicit rules. This can be particularly useful when you want to establish a security boundary around Service Bus and other PaaS resources like Azure Key Vault.
+
+For more information, see [Network security perimeter for Azure Service Bus](network-security-perimeter.md).
 
 ## Next steps
 See the following articles:
