IP address/range filter for Azure Service Bus

4
votes

We are implementing a solution which involves third party systems accessing our Azure Service Bus, secured by SAS. As long as this SAS is secure, we're happy :)

But we want to limit the impact should the SAS be compromised. For Azure Storage, an SAS can be issued with an IP range filter which helps, but this is not supported for service bus.

Is there any way to limit access to the service bus based on IP address? This is especially an issue, in our case, for third party systems who should read from the service bus.

Would switching to ACS (which is an option for other reasons) help in any way?

2
securityazureazureservicebusacs
Which Azure ACS do you mean? Azure Container Services? Access Control ServiceErik Oppedijk
Sorry for not specifying, ErikOppedijk: Access Control ServiceChristian Rygg

2 Answers

3
votes

Myself I am still searching for a way to restrict access to Service Bus to certain IP range. Until than I have found recommendation of scenario that has to certain level similar effect.

First part of the idea is to make SAS tokens very short lived like half an hour or less. Second is not to store those SAS tokens in source and configuration, but make rest service that hands them out. Now that Token factory and handout service can be secured, and among other measures with restricted IP address.

Now with SAS tokens out of configuration and source files they are less likely to leak, and there is much shorter time frame they can be abused.

Now there is a cost with more moving parts, but it seems not too steep price. And idea of getting rid of security tokens out of config is well probably well worth on its own.

I have found the idea described here

It is a bit old (at least in cloud years), and there are some new developments like Azure Key vault, and maybe it can be used to make scenario better or easier.

2
votes

Update: Azure Service Bus now has a preview of IP Filtering for Service Bus Premium and Event Hubs:

This feature allows users to control which IPs are accessing their resources. Some characteristics of this feature:

  • Rules allow you to specify accept and reject actions on IP masks.
  • The rules work with IPv4 addresses.
  • Rules are applied to the namespace level.
  • You can have multiple rules and they are applied in order.
  • The first rule that matches the IP address determines the accept or reject action.
  • Requests from IPs that are rejected receive an unauthorized response.

https://azure.microsoft.com/en-us/blog/ip-filtering-for-event-hubs-and-service-bus/

Alternative solution: You can add Azure API management in front of your service. https://azure.microsoft.com/en-us/documentation/articles/api-management-get-started/

Azure API management offers:

For an excellent example check out this blog post: http://blog.brauwers.nl/2014/05/29/exposing-a-service-bus-topic-using-azure-api-management/

For ACS, there is no development going on, most of the functionality is also exposed/moved in Azure AD and Azure B2C.