Hi. I'm trying to disable public network access of the Event Hub. But it seems to block every thing. The environment is below. Event Hub (public network access = false with vnet rules) Private Endpoint Private DNS Zone (privatelink.servicebus.windows.net) Python (azure-eventhub 5.11.5) Sender: Azure Linux Web App Receiver: Azure Linux Function (Event Hub Trigger) Deploy: terraform with Azure RM Provider (3.81.0) The result is below. Sender: I guess the connection was time-outed. (the message is CBS Authorization failed . But it seems not to be able to connect to the Event Hub.) Receiver: Connection was refused because non-trusted service (Diagnostics log said) If we enable the public network access, the result is below. Sender: success (Diagnostics OperationLogs said) api-version=2022-10 from Azure Linux Web App api-version=2021-10 from Azure Linux Function (on trigger another function from a receiver function) I don't know why there are different api version even we use same version of the library. Receiver: Accept Connection (Diagnostics EventHubVNetConnectionEvent said) reason: Matched VNet rule. IPAddress: it seems IPv6 Can't we disable public network access of Event Hub even if we use only vnet? I read the following documents. But no clue. https://video2.skills-academy.com/en-us/azure/event-hubs/event-hubs-service-endpoints https://video2.skills-academy.com/en-us/azure/event-hubs/private-link-service

Disabling public network access of the Event Hub seems to block any access even if vnet rule is matched

中垣茂(ESM) 0

Hi.

I'm trying to disable public network access of the Event Hub. But it seems to block every thing.

The environment is below.

Event Hub (public network access = false with vnet rules)
Private Endpoint
Private DNS Zone (privatelink.servicebus.windows.net)
Python (azure-eventhub 5.11.5)
Sender: Azure Linux Web App
Receiver: Azure Linux Function (Event Hub Trigger)
Deploy: terraform with Azure RM Provider (3.81.0)

The result is below.

Sender: I guess the connection was time-outed. (the message is CBS Authorization failed. But it seems not to be able to connect to the Event Hub.)
Receiver: Connection was refused because non-trusted service (Diagnostics log said)

If we enable the public network access, the result is below.

Sender: success (Diagnostics OperationLogs said)
- api-version=2022-10 from Azure Linux Web App
  - api-version=2021-10 from Azure Linux Function (on trigger another function from a receiver function)
    - I don't know why there are different api version even we use same version of the library.
Receiver: Accept Connection (Diagnostics EventHubVNetConnectionEvent said)
- reason: Matched VNet rule.
  - IPAddress: it seems IPv6

Can't we disable public network access of Event Hub even if we use only vnet?

I read the following documents. But no clue.

https://video2.skills-academy.com/en-us/azure/event-hubs/event-hubs-service-endpoints

https://video2.skills-academy.com/en-us/azure/event-hubs/private-link-service

ShaikMaheer-MSFT 38,441 Reputation points Microsoft Employee

2023-11-24T05:10:45.5033333+00:00

Hi 中垣茂(ESM),

Thank you for posting query in Microsoft Q&A Platform.

It is possible to disable public network access to an Event Hub and use VNet rules to allow access only from specific networks. However, it is important to ensure that the VNet rules are configured correctly to allow access from the desired networks.

Based on the information you provided, it seems that the VNet rules may not be configured correctly, which is causing the connection issues. You may need to review the VNet rules and ensure that they are configured to allow access from the networks that you want to allow.

Additionally, it is possible that the issue with the different API versions is related to the configuration of the VNet rules. You may need to review the API versions and ensure that they are compatible with the VNet rules that you have configured.

If you are still having issues after reviewing the VNet rules and API versions, you may need to review the diagnostics logs and event logs to identify the root cause of the issue. This can help you to identify any misconfigurations or issues with the network connectivity.

In summary, it is possible to disable public network access to an Event Hub and use VNet rules to allow access only from specific networks. However, it is important to ensure that the VNet rules are configured correctly and that the API versions are compatible with the VNet rules. If you are still having issues, you may need to review the diagnostics logs and event logs to identify the root cause of the issue.

Hope this helps.
中垣茂(ESM) 0 Reputation points

2023-11-27T00:14:24.5766667+00:00

Hi.

I believe VNet rules are correct because the difference between these cases are only enable / disable of public network access and function triggers can reach the Event Hub through VNet if public network access is enable.

About API version, I don't know hot to specify the version in Python. There is no argument of API version for Event Hub API (neither sender and trigger).

中垣茂(ESM) 0

There are network security rule for function and private endpoint like below.

For Inbound
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "VirtualNetwork"

For outbound
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "VirtualNetwork"

I think these allow any communications with VNet, right?

中垣茂(ESM) 0 Reputation points

2023-11-27T00:45:24.72+00:00

Also when I disable public network access on Azure Portal, VNet rules are gone.

Share via

Disabling public network access of the Event Hub seems to block any access even if vnet rule is matched

Your answer