In some certain circumstances, we may require service bus namespace to be accessed securely. Generally, we have two options below in the azure portal if we want to restrict publicly access to service bus namespace.
Disabled: This option disables any public access to the namespace. The namespace will be accessible only through private endpoints.
Enable network security: We could add at least one IP firewall rule or a virtual network that will have access to the namespace.
In this blog, let’s say the workflow is like [Client side ----> APIM(publicly accessible) ---- > Service Bus(enables network security settings)]
Considering that the APIM is hosted in the public network within above workflow, we have two following ways to restrict the access instead of disabling all public access.
- OPTION1: Put APIM into internal VNET and allow the traffic from same VNET to access service bus namespace.
- OPTION2: Whitelist the public IP address of APIM service in the IP firewall setting.
Detailed steps:
1.Developer, Basic, Standard and Premium Tiers
If you choose to integrate APIM into internal VNET, you could refer to documents below:
https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2
Then you could configure the same VNET into Service Bus networking setting.
If you choose to whitelist the IP address, we shall have dedicated public IP address for these Tiers’ APIM services. It can be easily found in the azure portal.
After enabling the network security setting in the service bus, all external traffic would fail into following error while accessing service bus namespace.
Consumption Tier
As we known, Consumption Tier APIM is based on different infrastructure with other Tiers. It’s not supported to be integrated into VNET based on Pricing Tier document. Hence, we need to use OPTION 2 above to allow the access from APIM service through IP firewall. We have 2 solutions for this configuration:
A. Whitelist IP address of APIM
Unfortunately, Consumption Tier APIM service doesn’t have dedicated IP address from official link. For traffic restriction purposes, we need to set the range of IP addresses of Azure data centers. You could refer to the multiple IP ranges from this JSON file by specific region and add all of them into above Address range setting.
B. Allow trusted MS services to bypass firewall
APIM is contained by trusted MS service list from this link. You could follow steps below to enable this feature.
a. Enable system-assigned identity on the APIM instance.
b. Create Azure Service Bus Data Sender or Receiver role assignment either or both of them on the Service Bus namespace for APIM MSI.
c. Enable MSI in the APIM inbound policy for authentication below.
