Virtual Network architecture 6 - Service Bus Private Endpoint

Summary

This article is Part.6 of virtual network architecture series that includes the details of the private endpoint Azure Service Bus in api-management-vnet.

• Virtual Network architecture 1 - Do I need virtual network?
• Virtual Network architecture 2 - Deployment pipelines
• Virtual Network architecture 3 - Key Vault Private Endpoint
• Virtual Network architecture 4 - SQL Database Private Endpoit
• Virtual Network architecture 5 - App Service Private Endpoint
• Virtual Network architecture 6 - Service Bus Private Endpoint
• Virtual Network architecture 7 - Self-hosted agent

TOC

• Private Endpoint configuration
• Public network access
• Support tier

Private Endpoint configuration

• Private Endpoint: Deploy the private endpoint and connect it to Service Bus and its subnet in PrivateEndpoint.bicep.

ServiceBusId:existingSb.id
VirtualNetwork3SubnetIdSb:existingVnet3.properties.subnets[0].id

resource PrivateEndpointSb 'Microsoft.Network/privateEndpoints@2021-03-01' = {
  properties: {
    privateLinkServiceConnections: [
      {
        properties: {
          privateLinkServiceId: ServiceBusId
          groupIds: [
            'namespace'
          ]
        }
      }
    ]
    subnet: {
      id: VirtualNetwork3SubnetIdSb
      properties: {
        privateEndpointNetworkPolicies: 'Enabled'
      }
    }
  }
}

• Private DNS: Deploy Private DNS with the DNS name privatelink.servicebus.windows.net in PrivateDns2.bicep.

var pdns_name_sb = 'privatelink.servicebus.windows.net'

resource PrivateDnsSb 'Microsoft.Network/privateDnsZones@2020-06-01' = {
  name: pdns_name_sb
  location: 'global'
}

• Virtual network link: Link the deployed Private DNS to the virtual network 3 where the Service Bus resides and the virtual network 2 so Azure Functions can access the Service Bus topic in PrivateDns2.bicep. The virtual network 2 and 3 are connected with Virtual Network Peering.

VirtualNetwork2Id:existingVnet2.id
VirtualNetwork3Id:existingVnet3.id

resource VnetLinkSb2 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link2'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: VirtualNetwork2Id
    }
  }
}

resource VnetLinkSb3 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${PrivateDnsSb.name}-link3'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: VirtualNetwork3Id
    }
  }
}

• Private DNS A record: Create a DNS A record and set the IP address from the deployed private endpoint in PrivateDns2.bicep.

output PrivateEndpointSbIpAddress string = PrivateEndpointSb.properties.customDnsConfigs[0].ipAddresses[0]

resource PrivateDnsASb 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
  name: '${PrivateDnsSb.name}/${ServiceBusName}'
  properties: {
    ttl: 3600
    aRecords: [
      {
        ipv4Address: PrivateEndpointSbIpAddress
      }
    ]
  }
}

Public network access

Public network access is disabled in ServiceBus2.bicep so all access except through the Private Endpoint are denied.

resource ServiceBus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
  sku: {
    name: 'Premium'
  }
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}

Support tier

According to the Microsoft documentation Azure Service Bus Private Endpoint, only Premium tier supports Azure Service Bus Private Endpoint feature.