How to connect to Service Bus with network security enabled through public APIM

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

In some certain circumstances, we may require service bus namespace to be accessed securely. Generally, we have two options below in the azure portal if we want to restrict publicly access to service bus namespace.

 

Picture2.png

 

 

Disabled: This option disables any public access to the namespace. The namespace will be accessible only through private endpoints.

Enable network security: We could add at least one IP firewall rule or a virtual network that will have access to the namespace.

 

In this blog, let’s say the workflow is like [Client side ----> APIM(publicly accessible) ---- > Service Bus(enables network security settings)]

 

Considering that the APIM is hosted in the public network within above workflow, we have two following ways to restrict the access instead of disabling all public access.

 

  • OPTION1: Put APIM into internal VNET and allow the traffic from same VNET to access service bus namespace.
  • OPTION2: Whitelist the public IP address of APIM service in the IP firewall setting.

 

Detailed steps:

1.Developer, Basic, Standard and Premium Tiers

If you choose to integrate APIM into internal VNET, you could refer to documents below:

https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2

https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2

 

Then you could configure the same VNET into Service Bus networking setting.

 

Picture3.png

 

If you choose to whitelist the IP address, we shall have dedicated public IP address for these Tiers’ APIM services. It can be easily found in the azure portal.

 

Picture4.png

 

 

Jay_Gong_3-1646720509339.png

 

After enabling the network security setting in the service bus, all external traffic would fail into following error while accessing service bus namespace.

Picture5.png

 

Consumption Tier

As we known, Consumption Tier APIM is based on different infrastructure with other Tiers. It’s not supported to be integrated into VNET based on Pricing Tier document. Hence, we need to use OPTION 2 above to allow the access from APIM service through IP firewall. We have 2 solutions for this configuration:
A. Whitelist IP address of APIM
Unfortunately, Consumption Tier APIM service doesn’t have dedicated IP address from official link. For traffic restriction purposes, we need to set the range of IP addresses of Azure data centers. You could refer to the multiple IP ranges from this JSON file by specific region and add all of them into above Address range setting.

Jay_Gong_5-1646720509344.png 
Jay_Gong_6-1646720509347.png

 

B. Allow trusted MS services to bypass firewall
APIM is contained by trusted MS service list from this link. You could follow steps below to enable this feature.

 

Jay_Gong_7-1646720509349.png

 

a. Enable system-assigned identity on the APIM instance.
             
Jay_Gong_8-1646720509354.png

 

b. Create Azure Service Bus Data Sender or Receiver role assignment either or both of them on the Service Bus namespace for APIM MSI.
 
Jay_Gong_9-1646720509357.png

 

 

 

Picture1.png

 

 

c. Enable MSI in the APIM inbound policy for authentication below.
         

Jay_Gong_11-1646720509371.png

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.