Virtual Network architecture 6 - Service Bus Private Endpoint
Kohei Kawata
Posted on August 29, 2022
Summary
This article is Part.6 of virtual network architecture series that includes the details of the private endpoint Azure Service Bus in api-management-vnet.
- Virtual Network architecture 1 - Do I need virtual network?
- Virtual Network architecture 2 - Deployment pipelines
- Virtual Network architecture 3 - Key Vault Private Endpoint
- Virtual Network architecture 4 - SQL Database Private Endpoit
- Virtual Network architecture 5 - App Service Private Endpoint
- Virtual Network architecture 6 - Service Bus Private Endpoint
- Virtual Network architecture 7 - Self-hosted agent
TOC
Private Endpoint configuration
- Private Endpoint: Deploy the private endpoint and connect it to Service Bus and its subnet in PrivateEndpoint.bicep.
ServiceBusId:existingSb.id
VirtualNetwork3SubnetIdSb:existingVnet3.properties.subnets[0].id
resource PrivateEndpointSb 'Microsoft.Network/privateEndpoints@2021-03-01' = {
properties: {
privateLinkServiceConnections: [
{
properties: {
privateLinkServiceId: ServiceBusId
groupIds: [
'namespace'
]
}
}
]
subnet: {
id: VirtualNetwork3SubnetIdSb
properties: {
privateEndpointNetworkPolicies: 'Enabled'
}
}
}
}
-
Private DNS: Deploy Private DNS with the DNS name
privatelink.servicebus.windows.netin PrivateDns2.bicep.
var pdns_name_sb = 'privatelink.servicebus.windows.net'
resource PrivateDnsSb 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: pdns_name_sb
location: 'global'
}
- Virtual network link: Link the deployed Private DNS to the virtual network 3 where the Service Bus resides and the virtual network 2 so Azure Functions can access the Service Bus topic in PrivateDns2.bicep. The virtual network 2 and 3 are connected with Virtual Network Peering.
VirtualNetwork2Id:existingVnet2.id
VirtualNetwork3Id:existingVnet3.id
resource VnetLinkSb2 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link2'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: VirtualNetwork2Id
}
}
}
resource VnetLinkSb3 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link3'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: VirtualNetwork3Id
}
}
}
- Private DNS A record: Create a DNS A record and set the IP address from the deployed private endpoint in PrivateDns2.bicep.
output PrivateEndpointSbIpAddress string = PrivateEndpointSb.properties.customDnsConfigs[0].ipAddresses[0]
resource PrivateDnsASb 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
name: '${PrivateDnsSb.name}/${ServiceBusName}'
properties: {
ttl: 3600
aRecords: [
{
ipv4Address: PrivateEndpointSbIpAddress
}
]
}
}
Public network access
Public network access is disabled in ServiceBus2.bicep so all access except through the Private Endpoint are denied.
resource ServiceBus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
sku: {
name: 'Premium'
}
properties: {
publicNetworkAccess: 'Disabled'
}
}
Support tier
According to the Microsoft documentation Azure Service Bus Private Endpoint, only Premium tier supports Azure Service Bus Private Endpoint feature.
💖 💪 🙅 🚩
Kohei Kawata
Posted on August 29, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
