To help you secure your IoT solution from exposure to the public internet, we’re announcing two Azure IoT Hub features to support the virtual network (VNet) connectivity pattern:
- IoT Hub now supports Azure Private Link, enabling private device connectivity from within your virtual network.
- IoT Hub is now a trusted Microsoft service with Managed Identity. You can grant Role-Based Access Control (RBAC) permissions to your IoT hub to connect to Azure services including Blob Storage, Event Hubs or Service Bus.
You can use these features to bring your IoT hub into your private VNet and achieve network isolation. For example, you could configure your devices to communicate with IoT Hub over a private IP address and your routing destinations to block all internet traffic, but still receive data from IoT Hub. There’s no need for gateways, NAT devices, or public IP address firewall rules. All your IoT data can be isolated from the internet and stay within the Microsoft network.
IoT Hub supports Azure Private Link
IoT Hub’s support for Azure Private Link is generally available in all regions. With this feature, you can:
- Create a private endpoint in your VNet and map it to your IoT hub
- Connect your devices in your VNet to IoT Hub through private IP address
- Connect your on-premise devices to the IoT hub in the VNet using ExpressRoute or VPN
- Keep your network configuration simple by not opening to the internet
- Close off IoT Hub to internet while preserving private endpoint connectivity
IoT Hub is a trusted Microsoft service with Managed Identity
IoT Hub is now listed a trusted Microsoft service in all services that support first-party integration with IoT Hub including Storage, Event Hub, and Service Bus when managed identity is turned on. This lets you:
- Grant IoT Hub specific permissions to other services using Azure RBAC
- Use the “Allow trusted Microsoft services…” setting in other services to connect your IoT hub to them without requiring you to allow all public inbound connections
- Connect your IoT Hub to other services privately (without having to be in the same VNet, if desired)
Network isolation for IoT Hub
Traditionally, a large portion of IoT customers in the enterprise or manufacturing sectors operate devices that are deployed on an on-premise network environment managed by their organizations. An on-premise network typically uses private IP address ranges which, thus far, required device traffic to pass through a gateway (such as HTTP gateway or a NAT) to reach IoT Hub's public-facing endpoint over the internet.
While such a network setup is always secured by IoT Hub's use of TLS encryption for all connections, many customers in manufacturing, healthcare, and other industries need additional security for their sensitive IoT data. Specifically, they need to ensure their cloud resources can only be accessed from within networks they own and control and that the packets never traverse the public internet. These customers can now adopt the VNet connectivity pattern to communicate with IoT Hub as well as other Azure services to achieve end-to-end network isolation.
With VNet support, IoT Hub now offers network isolation for all interaction models it has:
- Client connectivity: customer can use Azure Private Link to map a private endpoint in a VNet to their IoT Hub resource. Devices and services in the same VNet can connect using the endpoint’s private IP address, while clients in a different on-premise network can reach that VNet using VPN tunnel or ExpressRoute private peering. As a result, if all IoT Hub traffic is sent over private endpoints, the customer can go ahead and block off the public-facing endpoint altogether using the IP filter feature.
- Routing: customer can grant access to IoT Hub to interact with downstream resource using Azure RBAC. This is achieved using the trusted Microsoft service capability that is already in use by several other Azure services. In this case, the use of RBAC eliminates the need to maintain resource-level access keys and helps avoid managing key rollovers.
- Import/export jobs and file upload: customers can use RBAC for IoT Hub to bypass the network connectivity restrictions as a first party trusted service.
By controlling each of these connectivity scenarios, customers can ensure their IoT data is fully isolated from the public internet and can be accessed from secured networks.
Getting started
To get started, refer to our full documentation at IoT Hub support for virtual networks.