Aspire.Hosting.Azure.Network 13.3.3

Prefix Reserved
.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package Aspire.Hosting.Azure.Network --version 13.3.3
                    


                    

                
NuGet\Install-Package Aspire.Hosting.Azure.Network -Version 13.3.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Aspire.Hosting.Azure.Network" Version="13.3.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Aspire.Hosting.Azure.Network" Version="13.3.3" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Aspire.Hosting.Azure.Network" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Aspire.Hosting.Azure.Network --version 13.3.3
                    


                    

                
#r "nuget: Aspire.Hosting.Azure.Network, 13.3.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Aspire.Hosting.Azure.Network@13.3.3
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Aspire.Hosting.Azure.Network&version=13.3.3
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Aspire.Hosting.Azure.Network&version=13.3.3
                    


                            Install as a Cake Tool

Aspire.Hosting.Azure.Network library

Provides extension methods and resource definitions for an Aspire AppHost to configure Azure Virtual Networks, Subnets, NAT Gateways, Public IP Addresses, Network Security Groups, Network Security Perimeters, and Private Endpoints.

Getting started

Prerequisites

Install the package

Install the Aspire Azure Virtual Network Hosting library with NuGet:

dotnet add package Aspire.Hosting.Azure.Network

Configure Azure Provisioning for local development

Adding Azure resources to the Aspire application model will automatically enable development-time provisioning for Azure resources so that you don't need to configure them manually. Provisioning requires a number of settings to be available via .NET configuration. Set these values in user secrets in order to allow resources to be configured automatically.

{
    "Azure": {
      "SubscriptionId": "<your subscription id>",
      "ResourceGroupPrefix": "<prefix for the resource group>",
      "Location": "<azure location>"
    }
}

NOTE: Developers must have Owner access to the target subscription so that role assignments can be configured for the provisioned resources.

Usage examples

Adding a Virtual Network

In the AppHost.cs file of AppHost, add a Virtual Network using the following method:

var vnet = builder.AddAzureVirtualNetwork("vnet");

By default, the virtual network will use the address prefix 10.0.0.0/16. You can specify a custom address prefix:

var vnet = builder.AddAzureVirtualNetwork("vnet", "10.1.0.0/16");

Adding Subnets

You can add subnets to your virtual network:

var vnet = builder.AddAzureVirtualNetwork("vnet");
var subnet = vnet.AddSubnet("subnet", "10.0.1.0/24");

Adding NAT Gateways

A NAT Gateway provides outbound internet connectivity with deterministic public IP addresses:

var natGateway = builder.AddNatGateway("nat");

var vnet = builder.AddAzureVirtualNetwork("vnet");
var subnet = vnet.AddSubnet("aca-subnet", "10.0.0.0/23")
    .WithNatGateway(natGateway);

By default, a Public IP Address is automatically created. You can provide an explicit one for full control:

var pip = builder.AddPublicIPAddress("nat-pip");
var natGateway = builder.AddNatGateway("nat")
    .WithPublicIPAddress(pip);

Use ConfigureInfrastructure for advanced settings like idle timeout or availability zones.

Adding Network Security Groups

Add security rules to control traffic flow on subnets using shorthand methods:

var vnet = builder.AddAzureVirtualNetwork("vnet");
var subnet = vnet.AddSubnet("web", "10.0.1.0/24")
    .AllowInbound(port: "443", from: AzureServiceTags.AzureLoadBalancer, protocol: SecurityRuleProtocol.Tcp)
    .DenyInbound(from: AzureServiceTags.Internet);

An NSG is automatically created when shorthand methods are used. Priority auto-increments (100, 200, 300...) and rule names are auto-generated.

For full control, create an explicit NSG with AzureSecurityRule objects:

var nsg = vnet.AddNetworkSecurityGroup("web-nsg")
    .WithSecurityRule(new AzureSecurityRule
    {
        Name = "allow-https",
        Priority = 100,
        Direction = SecurityRuleDirection.Inbound,
        Access = SecurityRuleAccess.Allow,
        Protocol = SecurityRuleProtocol.Tcp,
        DestinationPortRange = "443"
    });

var subnet = vnet.AddSubnet("web-subnet", "10.0.1.0/24")
    .WithNetworkSecurityGroup(nsg);

A single NSG can be shared across multiple subnets.

Adding Network Security Perimeters

A Network Security Perimeter (NSP) groups PaaS resources into a logical security boundary. Resources within the perimeter can communicate with each other, while public access is restricted by access rules:

var nsp = builder.AddNetworkSecurityPerimeter("my-nsp")
    .WithAccessRule(new AzureNspAccessRule
    {
        Name = "allow-my-ip",
        Direction = NetworkSecurityPerimeterAccessRuleDirection.Inbound,
        AddressPrefixes = { "203.0.113.0/24" }
    });

var storage = builder.AddAzureStorage("storage");
var keyVault = builder.AddAzureKeyVault("kv");

storage.WithNetworkSecurityPerimeter(nsp);
keyVault.WithNetworkSecurityPerimeter(nsp);

Associations use Enforced access mode by default, which blocks non-compliant public traffic. Use Learning mode to log violations without blocking, which is useful when onboarding resources to identify required access rules:

// Learning mode — logs violations without blocking traffic
storage.WithNetworkSecurityPerimeter(nsp, NetworkSecurityPerimeterAssociationAccessMode.Learning);

Adding Private Endpoints

Create a private endpoint to securely connect to Azure resources over a private network:

var vnet = builder.AddAzureVirtualNetwork("vnet");
var peSubnet = vnet.AddSubnet("private-endpoints", "10.0.2.0/24");

var storage = builder.AddAzureStorage("storage");
var blobs = storage.AddBlobs("blobs");

// Add a private endpoint for the blob storage
peSubnet.AddPrivateEndpoint(blobs);

When you add a private endpoint to an Azure resource:

  1. A Private DNS Zone is automatically created for the service (e.g., privatelink.blob.core.windows.net)
  2. A Virtual Network Link connects the DNS zone to your VNet
  3. A DNS Zone Group is created on the private endpoint for automatic DNS registration
  4. The target resource is automatically configured to deny public network access

To override the automatic network lockdown, use ConfigureInfrastructure:

storage.ConfigureInfrastructure(infra =>
{
    var storageAccount = infra.GetProvisionableResources()
        .OfType<StorageAccount>()
        .Single();
    storageAccount.PublicNetworkAccess = StoragePublicNetworkAccess.Enabled;
});

Additional documentation

Feedback & contributing

https://github.com/microsoft/aspire

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (2)

Showing the top 2 NuGet packages that depend on Aspire.Hosting.Azure.Network:

Package Downloads
Aspire.Hosting.Azure.Sql

Azure SQL Database resource types for Aspire.
Aspire.Hosting.Azure.Kubernetes

Azure Kubernetes Service (AKS) resource types for Aspire.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
13.3.5 0 5/21/2026
13.3.4 764 5/19/2026
13.3.3 4,089 5/15/2026
13.3.2 2,464 5/14/2026
13.3.1 1,414 5/12/2026
13.3.0 9,851 5/7/2026
13.2.4 23,755 4/24/2026
13.2.3 6,054 4/21/2026
13.2.2 18,338 4/8/2026
13.2.1 10,621 3/31/2026
13.2.0 18,355 3/23/2026