Export data to a secure destination on an Azure Virtual Network

Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging, or Azure Data Explorer. You can lock down these destinations by using Azure Virtual Network and private endpoints.

Currently, it's not possible to connect an IoT Central application directly to a virtual network for data export. However, because IoT Central is a trusted Azure service, it's possible to configure an exception to the firewall rules and connect to a secure destination on a virtual network. In this scenario, you typically use a managed identity to authenticate and authorize with the destination.

Prerequisites

• An IoT Central application. To learn more, see Create an IoT Central application.

• Data export configured in your IoT Central application to send device data to a destination such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus, or Azure Data Explorer. The destination must be configured to use a managed identity. To learn more, see Export IoT data to cloud destinations using Blob Storage.

Configure the destination service

To configure Azure Blob Storage to use a virtual network and private endpoint see:

• Configure Azure Storage firewalls and virtual networks
• Private endpoints for your storage account

To configure Azure Event Hubs to use a virtual network and private endpoint see:

• Allow access to Azure Event Hubs namespaces from specific virtual networks
• Allow access to Azure Event Hubs namespaces via private endpoints

To configure Azure Service Bus Messaging to use a virtual network and private endpoint see:

• Allow access to Azure Service Bus namespace from specific virtual networks
• Allow access to Azure Service Bus namespaces via private endpoints

Configure the firewall exception

To allow IoT Central to connect to a destination on a virtual network, enable a firewall exception on the virtual network to allow connections from trusted Azure services.

To configure the exception in the Azure portal for Azure Blob Storage, navigate to Networking > Firewalls and virtual networks. Then select Allow Azure services on the trusted services list to access this storage account.:

To configure the exception in the Azure portal for Azure Event Hubs, navigate to Networking > Public access. Then select Yes to allow trusted Microsoft services to bypass this firewall:

To configure the exception in the Azure portal for Azure Service Bus, navigate to Networking > Public access. Then select Yes to allow trusted Microsoft services to bypass this firewall:

Next steps

Now that you've learned how to export data to a destination locked down on a virtual network, here's the suggested next step: