DEV Community

Kohei Kawata
Kohei Kawata

Posted on

Virtual Network architecture 6 - Service Bus Private Endpoint

Summary

This article is Part.6 of virtual network architecture series that includes the details of the private endpoint Azure Service Bus in api-management-vnet.

TOC

Private Endpoint configuration

  • Private Endpoint: Deploy the private endpoint and connect it to Service Bus and its subnet in PrivateEndpoint.bicep. 
ServiceBusId:existingSb.id
VirtualNetwork3SubnetIdSb:existingVnet3.properties.subnets[0].id

resource PrivateEndpointSb 'Microsoft.Network/privateEndpoints@2021-03-01' = {
  properties: {
    privateLinkServiceConnections: [
      {
        properties: {
          privateLinkServiceId: ServiceBusId
          groupIds: [
            'namespace'
          ]
        }
      }
    ]
    subnet: {
      id: VirtualNetwork3SubnetIdSb
      properties: {
        privateEndpointNetworkPolicies: 'Enabled'
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Private DNS: Deploy Private DNS with the DNS name privatelink.servicebus.windows.net in PrivateDns2.bicep. 
var pdns_name_sb = 'privatelink.servicebus.windows.net'

resource PrivateDnsSb 'Microsoft.Network/privateDnsZones@2020-06-01' = {
  name: pdns_name_sb
  location: 'global'
}
Enter fullscreen mode Exit fullscreen mode
  • Virtual network link: Link the deployed Private DNS to the virtual network 3 where the Service Bus resides and the virtual network 2 so Azure Functions can access the Service Bus topic in PrivateDns2.bicep. The virtual network 2 and 3 are connected with Virtual Network Peering. 
VirtualNetwork2Id:existingVnet2.id
VirtualNetwork3Id:existingVnet3.id

resource VnetLinkSb2 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link2'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: VirtualNetwork2Id
    }
  }
}

resource VnetLinkSb3 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link3'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: VirtualNetwork3Id
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Private DNS A record: Create a DNS A record and set the IP address from the deployed private endpoint in PrivateDns2.bicep. 
output PrivateEndpointSbIpAddress string = PrivateEndpointSb.properties.customDnsConfigs[0].ipAddresses[0]

resource PrivateDnsASb 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${ServiceBusName}'
  properties: {
    ttl: 3600
    aRecords: [
      {
        ipv4Address: PrivateEndpointSbIpAddress
      }
    ]
  }
}
Enter fullscreen mode Exit fullscreen mode

Public network access

Public network access is disabled in ServiceBus2.bicep so all access except through the Private Endpoint are denied.

resource ServiceBus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
  sku: {
    name: 'Premium'
  }
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}
Enter fullscreen mode Exit fullscreen mode

Support tier

According to the Microsoft documentation Azure Service Bus Private Endpoint, only Premium tier supports Azure Service Bus Private Endpoint feature.

Top comments (0)

Read next

mikeyoung44 profile image

AI Consciousness is Inevitable: A Theoretical Computer Science Perspective

Mike Young -

jamesbmour profile image

Mastering LangChain: Part 1 - Introduction to LangChain and Its Key Components

James -

gbhorwood profile image

uploading to s3 with bash

grant horwood -

ivan-klimenkov profile image

Leveraging Mob Programming for Knowledge Sharing and Instant Code Review

Ivan Klimenkov -