Secure Connection to Azure Event Hub via Public Endpoint: Firewall Configuration Best Practices

Question

Secure Connection to Azure Event Hub via Public Endpoint: Firewall Configuration Best Practices

Suki Azure 66

We have an Azure tenant and subscription (ABC) with the following services running: Azure Firewall, Azure Event Hub, and Databricks. My customer is in a separate tenant and subscription (XYZ) and needs to send data to our Azure Event Hub via a Public Endpoint (Private Endpoint is not an option in this case).

I have received the customer's public IP address and added it to the Azure Event Hub Networking Firewall under "Add IP ranges to allow access from the internet or your on-premises networks."

Questions:

Is adding the customer's public IP to the Azure Event Hub Networking Firewall sufficient for secure connectivity?

Do I need to create an Azure Firewall Network Rule as well?

How do I create this rule? Should I configure a Network Rule or an Application Rule in Azure Firewall?

By creating this rule, how does Azure Firewall route traffic to Azure Event Hub?

When both the Azure Firewall Network Rule and Azure Event Hub Firewall whitelist are properly configured, is this considered a best practice? What are the pros and cons of this approach?

Looking forward to insights and recommendations on this scenario.

Marten Theunissen 676 Reputation points

2025-03-24T11:58:13.3833333+00:00

Yes, configuring both Azure Firewall Network Rules and Azure Event Hub Firewall whitelists is considered a best practice for securing connectivity. Here are the pros and cons of this approach:

Pros

Enhanced Security:

Layered Protection: Multiple layers of security reduce the risk of unauthorized access.

IP Restriction: Only trusted sources can connect to your Event Hub.

Granular Control:

Fine-Grained Access: Precise rules for inbound and outbound traffic.

Customizable Rules: Tailor rules to your specific security needs.

Compliance:

Regulatory Compliance: Helps meet data protection and security standards.

Cons

Complexity:

Configuration Complexity: Managing multiple firewall rules can be time-consuming.

Maintenance: Regular updates and maintenance are required.

Performance Impact:

Latency: Firewall rules can introduce latency.

Resource Consumption: Firewalls consume resources, impacting performance.

Potential for Misconfiguration:

Risk of Errors: Incorrectly configured rules can lead to access issues.

Troubleshooting: Resolving firewall-related issues can be challenging.
Chandra Boorla 12,085 Reputation points Microsoft External Staff

2025-03-25T19:35:59.0133333+00:00

@Suki Azure

Just checking in to see if the below answer provided by @ Alex Burlachenko helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

1 additional answer

Your answer

Marten Theunissen 676 Reputation points

2025-03-24T11:58:13.3833333+00:00

Yes, configuring both Azure Firewall Network Rules and Azure Event Hub Firewall whitelists is considered a best practice for securing connectivity. Here are the pros and cons of this approach:

Pros

Enhanced Security:

Layered Protection: Multiple layers of security reduce the risk of unauthorized access.

IP Restriction: Only trusted sources can connect to your Event Hub.

Granular Control:

Fine-Grained Access: Precise rules for inbound and outbound traffic.

Customizable Rules: Tailor rules to your specific security needs.

Compliance:

Regulatory Compliance: Helps meet data protection and security standards.

Cons

Complexity:

Configuration Complexity: Managing multiple firewall rules can be time-consuming.

Maintenance: Regular updates and maintenance are required.

Performance Impact:

Latency: Firewall rules can introduce latency.

Resource Consumption: Firewalls consume resources, impacting performance.

Potential for Misconfiguration:

Risk of Errors: Incorrectly configured rules can lead to access issues.

Troubleshooting: Resolving firewall-related issues can be challenging.
Chandra Boorla 12,085 Reputation points Microsoft External Staff

2025-03-25T19:35:59.0133333+00:00

@Suki Azure

Just checking in to see if the below answer provided by @ Alex Burlachenko helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Alex Burlachenko 4,550

Hi, Suki Azure,

I would like simple add answers of my collogues and answer to urs Q.

Is adding the customer's public IP to the Event Hub firewall sufficient?

Yes, but with caveats:

Provides basic IP-based access control
Lacks advanced security features (threat inspection, logging)
Recommended to combine with SAS tokens for production workloads

Do I need an Azure Firewall rule too?

Recommended for:
- Additional security layer
- Traffic logging/monitoring
- Future scalability (if more partners need access)

How to create the firewall rule? Use an Application Rule (not Network Rule):

# Create Application Rule

How does traffic flow with Azure Firewall?!

Traffic path: Customer ->Azure Firewall (inspection) -> Event Hub
Requires:
1. A Route Table directing Event Hub traffic to Azure Firewall
2. Firewall's public IP as the allowed IP in Event Hub firewall
3. NAT rule if using Firewall's public IP (optional)

And at the end links for official MSFT doc's

Azure Event Hub IP Filtering (Your Current Setup)
- Restrict access to Event Hubs using IP addresses
- Covers basic IP whitelisting configuration
Azure Firewall Integration
- Azure Firewall application rules
- Explains FQDN-based filtering for services like Event Hub
Combined Architecture
- Secure Azure PaaS services with Azure Firewall
- Specifically covers securing Event Hub behind Azure Firewall
Routing Configuration
- Forced tunneling through Azure Firewall
- Explains how to route traffic properly
Advanced Security
- Event Hub network security best practices
- Includes SAS token recommendations
Cross-Tenant Considerations
- Microsoft Entra ID for cross-tenant access

Hope that's will finally show u all clear picture.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

Alex Burlachenko 4,550

# Create Application Rule
$rule = New-AzFirewallApplicationRule -Name "AllowEventHub" -Protocol "https:443" -SourceAddress "Customer.IP.Address" -TargetFqdn "your-eventhub.servicebus.windows.net"
$ruleCollection = New-AzFirewallApplicationRuleCollection -Name "EventHubRules" -Priority 100 -Rule $rule -ActionType "Allow"
$azfw = Get-AzFirewall -Name "Your-Firewall"
$azfw.ApplicationRuleCollections = $ruleCollection
Set-AzFirewall -AzureFirewall $azfw

Suki Azure 66 Reputation points

2025-03-25T14:50:17.25+00:00

Thank you for the detailed explanation. I would like to confirm the steps required from our end:

Configure an Azure Firewall Application Rule, where the source is the customer's IP range, and the destination is the Azure Event Hub over ports 5671 and 443.

Additionally, I have a clarification: We have shared our public IP and the FQDN of the Azure Event Hub with the customer for sending messages. In this scenario, how does the traffic route through the Azure Firewall?

This environment has been operational for nearly six months, and my objective is to validate whether all traffic is currently enforced through the Azure Firewall. If not, I will need to implement the necessary configurations.

Could you please assist in verifying this setup and implement if not in place?

Appreciate your support.
Alex Burlachenko 4,550 Reputation points

2025-03-25T15:03:41.85+00:00

Dear Suki,
to verify if traffic is currently routed through Azure Firewall and enforce it if not, check if traffic bypasses the firewall by examining Azure Firewall logs for Event Hub FQDN activity if no logs appear, traffic is likely going directly to Event Hub. To enforce firewall routing, you'll need to reconfigure DNS so the customer resolves the Event Hub FQDN to your firewall's public IP instead of the original endpoint, then create proper firewall rules allowing ports 5671 and 443 for the Event Hub FQDN from the customer's IP range. Additionally, configure route tables to ensure all traffic from the Event Hub subnet is forced through the firewall. For full validation, temporarily create a deny rule for Event Hub traffic if messages still flow, your configuration is not properly enforced. The key is ensuring DNS resolution points to the firewall and all network paths are correctly routed through it. I'm sure u well know PowerShell commands ....
rgds,

Alex

P.S. If my answer help to you, please Accept my answer

P.P.S. just in cases if it will help links for Microsoft doc's
Azure Firewall Rule Processing https://learn.microsoft.com/en-us/azure/firewall/rule-processing

Explains how application rules and NAT rules work in Azure Firewall

Forced Tunneling Configuration https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling

Guides on configuring route tables to force traffic through Azure Firewall

Azure Firewall Diagnostics https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

Shows how to monitor and troubleshoot firewall traffic using logs

Event Hub Network Security https://learn.microsoft.com/en-us/azure/event-hubs/network-security

Covers IP filtering and private endpoint configurations

Azure Firewall with Application Rules https://learn.microsoft.com/en-us/azure/firewall/features#application-rules

Details how to configure FQDN-based filtering

User-Defined Routes (UDR) https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Explains how to create route tables for traffic redirection

Sure that docswill help you verify and implement proper traffic routing through Azure Firewall for urs scenario.

Answer 2

Adding the customer's public IP to the Azure Event Hub Networking Firewall is a good step towards securing connectivity, but it may not be sufficient on its own. Here are some additional best practices to ensure secure connectivity:

Best Practices for Secure Connectivity

IP Firewall Rules:

Configure IP firewall rules to restrict access to specific IPv4 or IPv6 addresses or address ranges in CIDR notation. This helps ensure that only traffic from known and trusted IP addresses can access your Event Hub.

Virtual Network Service Endpoints:

Integrate Event Hubs with Virtual Network Service Endpoints to enable secure access from workloads bound to virtual networks. This ensures that network traffic is secured on both ends and only authorized subnets can access the Event Hub.

Private Endpoints:

Use private endpoints to connect securely to your Event Hub. Private endpoints allow you to access Azure services over a private IP address within your virtual network.

Service Tags:

Utilize service tags to define network access controls on network security groups or Azure Firewall. Service tags represent a group of IP address prefixes from a given Azure service, simplifying the management of frequent updates to network security rules.

Network Security Groups (NSGs):

Implement NSGs to control inbound and outbound traffic to your Event Hub. NSGs can be used to create rules that allow or deny traffic based on IP addresses, ports, and protocols.

Azure Defender for Event Hubs:

Enable Azure Defender for Event Hubs to provide advanced threat protection and security monitoring. This helps detect and respond to potential security threats in real-time.

Share via

Secure Connection to Azure Event Hub via Public Endpoint: Firewall Configuration Best Practices

1 additional answer

Your answer