IP filtering for Event Hubs and Service Bus

For scenarios in which Azure Event Hubs or Azure Service Bus is only accessible from certain well-known sites, the IP Filter feature enables you to configure rules for accepting or rejecting traffic originated from specify IP addresses, for instance the addresses that come under corporate NAT gateway. The Azure team is happy to announce the public preview of IP Filtering for Service Bus Premium and Event Hubs Standard and Dedicated price plans.

This feature allows users to control which IPs are accessing their resources. Some characteristics of this feature:

  • Rules allow you to specify accept and reject actions on IP masks.
  • The rules work with IPv4 addresses.
  • Rules are applied to the namespace level.
  • You can have multiple rules and they are applied in order.
  • The first rule that matches the IP address determines the accept or reject action.
  • Requests from IPs that are rejected receive an unauthorized response.

Today these features are available in the Azure portal as shown in the screenshot. You can find them at the Event Hubs or Service Bus namespace level or via an ARM template.

The below ARM template shows how you can use this feature. This template takes the following parameters:

  • ipFilterRuleName must be a unique, case-insensitive, alphanumeric string, up to 128 characters long.
  • ipFilterAction is either Reject or Accept as the action to apply for the IP filter rule.
  • ipMask is a single IPv4 address or a block of IP addresses in CIDR notation. For example, in CIDR notation 70.37.104.0/24 represents the 256 IPv4 addresses from 70.37.104.0 to 70.37.104.255, with 24 indicating the number of significant prefix bits for the range.
{
   "$schema":"http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
   "contentVersion":"1.0.0.0",
   "parameters":{   
                "namespaceName":{
                      "type":"string",
                      "metadata":{
                           "description":"Name of the namespace"
                      }
                },
                "ipFilterRuleName":{
                      "type":"string",
                      "metadata":{
                           "description":"Name of the Authorization rule"
                      }
                },
                "ipFilterAction":{
                      "type":"string",
                      "allowedValues": ["Reject", "Accept"],
                      "metadata":{
                           "description":"IP Filter Action"
                      }
                },
                "IpMask":{
                      "type":"string",
                      "metadata":{
                           "description":"IP Mask"
                      }
                }
         },
       "resources": [
        {
            "apiVersion": "2018-01-01-preview",
            "name": "[concat(parameters('namespaceName'), '/', parameters('ipFilterRuleName'))]",
            "type": "Microsoft.EventHub/Namespaces/IPFilterRules",
            "properties": {
                           "FilterName":"[parameters('ipFilterRuleName')]",
                           "Action":"[parameters('ipFilterAction')]",                        
                "IpMask": "[parameters('IpMask')]"
            }
        }
    ]
}

Want tighter control of who is accessing your Event Hubs or Service Bus queues and topics? Give IP Filters a try today for your Service Bus or Event Hubs namespace!

Source: Azure Updates

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.