IP Restrictions on Service Bus Standard and Basic
One thing that has frustrated me for some time with Azure Service Bus is that the network security features, such as Private Endpoints and Service Endpoints, are locked behind the premium SKU, which has a significant extra cost. I believe security features should not be locked behind expensive SKUs and should be available to anyone using the service, as they are with most other Azure services. This results in either paying extra for the premium SKU just for these features or running the cheaper SKU without the additional security features.
However, this week it was pointed out to me that it is possible to use the IP Allow List functionality of service endpoints with the standard or basic SKU. You still can’t use the network restriction functionality or Private Endpoints, but it provides some functionality at least.
This feature isn’t very well documented. Most of the docs talk about needing the Premium SKU for network restrictions, it’s also not configurable via the portal, and the rules don’t show up in the resource JSON. Given this, it’s not clear how supported this configuration is by Microsoft, so do bear this in mind. I will seek clarification on this. All of that said, it does work as expected.
The Service Bus docs have now been updated to indicate that using IP allow listing for the standard SKU is supported when using the non-portal methods, but the UI based management is only supported in the Premium tier.
Configure via CLI
To apply network restrictions using the CLI, you must first deploy the Service Bus namespace using whatever method you prefer. Then you can apply IP restrictions using this command:
az servicebus namespace network-rule add --namespace-name <namespace-name> --resource-group <resource-group-name> --action allow --ip-address <ip-address>
Once run, this will add the IP rule. You can repeat for as many rules as needed. The command should output the details of the IP restrictions.
Configure via Infrastructure as Code
IP restrictions can be enabled during deployment for the Service Bus Namespace using infrastructure as code languages.
Bicep
resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = {
name: 'scnetworktesting1'
location: 'westeurope'
sku: {
name: 'Standard'
capacity: 1
tier: 'Standard'
}
}
resource sbIpRules 'Microsoft.ServiceBus/namespaces/networkRuleSets@2022-10-01-preview' = {
name: 'default'
parent: serviceBusNamespace
properties: {
defaultAction: 'Deny'
ipRules: [
{
action: 'Allow'
ipMask: '1.1.1.1'
}
]
publicNetworkAccess: 'Enabled'
}
}
Pulumi (C#)
var namespace = new AzureNative.ServiceBus.Namespace("namespace", new()
{
Location = "West Europe",
NamespaceName = "namespaceaname",
ResourceGroupName = rg.name,
Sku = new AzureNative.ServiceBus.Inputs.SBSkuArgs
{
Name = AzureNative.ServiceBus.SkuName.Standard,
Tier = AzureNative.ServiceBus.SkuTier.Standard,
},
});
Var namespaceNetworkRuleSet = new AzureNative.ServiceBus.NamespaceNetworkRuleSet("namespaceNetworkRuleSet", new()
{
DefaultAction = "Deny",
IpRules = new[]
{
new AzureNative.ServiceBus.Inputs.NWRuleSetIpRulesArgs
{
Action = "Allow",
IpMask = "1.1.1.1",
}
},
NamespaceName = namespace.name,
ResourceGroupName = rg.name
});
Terraform
resource "azurerm_servicebus_namespace" "example" {
name = "namespace name"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "Standard"
}
resource "azurerm_servicebus_namespace_network_rule_set" "example" {
namespace_id = azurerm_servicebus_namespace.example.id
default_action = "Deny"
public_network_access_enabled = true
ip_rules = ["1.1.1.1"]
}