IP Restrictions on Service Bus Standard and Basic

One thing that has frustrated me for some time with Azure Service Bus is that the network security features, such as Private Endpoints and Service Endpoints, are locked behind the premium SKU, which has a significant extra cost. I believe security features should not be locked behind expensive SKUs and should be available to anyone using the service, as they are with most other Azure services. This results in either paying extra for the premium SKU just for these features or running the cheaper SKU without the additional security features.

However, this week it was pointed out to me that it is possible to use the IP Allow List functionality of service endpoints with the standard or basic SKU. You still can’t use the network restriction functionality or Private Endpoints, but it provides some functionality at least.

This feature isn’t very well documented. Most of the docs talk about needing the Premium SKU for network restrictions, it’s also not configurable via the portal, and the rules don’t show up in the resource JSON. Given this, it’s not clear how supported this configuration is by Microsoft, so do bear this in mind. I will seek clarification on this. All of that said, it does work as expected.

Configure via CLI

To apply network restrictions using the CLI, you must first deploy the Service Bus namespace using whatever method you prefer. Then you can apply IP restrictions using this command:

az servicebus namespace network-rule add --namespace-name <namespace-name> --resource-group <resource-group-name> --action allow --ip-address <ip-address>

Once run, this will add the IP rule. You can repeat for as many rules as needed. The command should output the details of the IP restrictions.

Command Output

Configure via Infrastructure as Code

IP restrictions can be enabled during deployment for the Service Bus Namespace using infrastructure as code languages.

Bicep

resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = {
  name: 'scnetworktesting1'
  location: 'westeurope'
  sku: {
    name: 'Standard'
    capacity: 1
    tier: 'Standard'
  }
 
}

resource sbIpRules 'Microsoft.ServiceBus/namespaces/networkRuleSets@2022-10-01-preview' = {
  name: 'default'
  parent: serviceBusNamespace
  properties: {
    defaultAction: 'Deny'
    ipRules: [
      {
        action: 'Allow'
        ipMask: '1.1.1.1'
      }
    ]
    publicNetworkAccess: 'Enabled'

  }
}

Pulumi (C#)

var namespace = new AzureNative.ServiceBus.Namespace("namespace", new()
    {
        Location = "West Europe",
        NamespaceName = "namespaceaname",
        ResourceGroupName = rg.name,
        Sku = new AzureNative.ServiceBus.Inputs.SBSkuArgs
        {
            Name = AzureNative.ServiceBus.SkuName.Standard,
            Tier = AzureNative.ServiceBus.SkuTier.Standard,
        },
    });

Var namespaceNetworkRuleSet = new AzureNative.ServiceBus.NamespaceNetworkRuleSet("namespaceNetworkRuleSet", new()
    {
        DefaultAction = "Deny",
        IpRules = new[]
        {
            new AzureNative.ServiceBus.Inputs.NWRuleSetIpRulesArgs
            {
                Action = "Allow",
                IpMask = "1.1.1.1",
            }
        },
        NamespaceName = namespace.name,
        ResourceGroupName = rg.name
        
    });

Terraform

resource "azurerm_servicebus_namespace" "example" {
  name                = "namespace name"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Standard"
}

resource "azurerm_servicebus_namespace_network_rule_set" "example" {
  namespace_id = azurerm_servicebus_namespace.example.id

  default_action                = "Deny"
  public_network_access_enabled = true

  ip_rules = ["1.1.1.1"]
}