Is there a way to firewall an Azure Service Bus?

0
votes

In Azure, one can set a firewall on the SQL Database servers and prevent all connections trying to access it that don't appear in its whitelist from establishing a connection. I've searched for the same applied to Azure Service Bus but failed to find anything other than firewall configurations for the client to be able to accept connections coming from the service bus.

I'm trying to prevent certain IP addresses from accessing specific queues and relays to avoid different environments accessing other environments's resources by mistake. Currently we have two Azure workers in different cloud servers in Azure that need to connect with each other via a Relay. They get the connection string and keys to it via the Service.Configuration files, of which we have one for each environment: QA and Production. We also have one cloud service server for each environment for each worker. It has happened to us in the past that someone would accidentally deploy one of the workers to QA with the Production configuration file, causing it to interact with the Production relay instead of the QA relay, causing errors. This is what I was hoping to prevent using some sort of firewall: whitelist the Production Service Bus only for the Production Cloud services and the QA Service Bus to the QA Cloud services.

Thanks.

2
.netazureazureservicebus
How about handing each department their own key (SAS)?evilSnobu
@evilSnobu wouldn't work. I'll add more details to the post, but the problem is the following: I have two Azure workers communicating with each other in different servers through a relay, and they get the connection string and endpoints from the Service.Configuration files, of which we have one for each environment. We also have two different cloud services for each environment, each. It has happened to us that someone would accidentally deploy to the QA environment with Prod configurations and cause errors. That's what we want to preventHeathcliff
Don't you have like a build server that attaches the right .cscfg config for the right env? You have a Bob or John that does that by hand?evilSnobu
Maybe you need a gate before your QA becomes PROD. Compare connection strings with sane values that should be in for the target env. It can be a manual step in the release def, no shame in that. There's no way you can firewall Service Bus from Azure side, that's a given.evilSnobu
@JornTheunissen No, sorry. We just handled this in the configuration files.Heathcliff

2 Answers

1
votes

You can implement this by using Azure service Bus IP Filters.

IP filter rules are applied in order and the first rule that matches the IP address determines the accept or reject action.

For example, if you want to accept addresses in the range 70.37.104.0/24 and reject everything else, the first rule in the grid should accept the address range 70.37.104.0/24. The next rule should reject all addresses by using the range 0.0.0.0/0.

Please refer to this Microsoft URL : https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-ip-filtering

1
votes

I appreciate I have come to your question a long while after it was asked, but for the sake of anyone else who follows my route...

This is (now) possible provided your Azure Service Bus' SKU is Premium and is configured in a similar manner as Azure SQL.

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-ip-filtering

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-service-endpoints - Contains the structure of the virtualNetworkRules