You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-signalr/howto-service-tags.md
+31-28Lines changed: 31 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,37 +12,19 @@ ms.author: lianwei
12
12
13
13
# Use service tags for Azure SignalR Service
14
14
15
-
You can use [Service Tags](../virtual-network/service-tags-overview.md)with Azure SignalR Service when configuring [Network Security Group](../virtual-network/network-security-groups-overview.md#network-security-groups). Service tags allow you to define inbound/outbound network security rules for Azure resources that connect to the SignalR Service endpoints without the need to hardcode IP addresses.
15
+
You can use [Service Tags](../virtual-network/service-tags-overview.md)to identify Azure SignalR Service traffic. A service tag represents a group of IP address prefixes. Azure SignalR Service manages a service tag called `AzureSignalR` for both inbound and outbound traffic.
16
16
17
-
The SignalR Service manages service tags, which means that you can't create your own service tag or modify an existing one. Microsoft manages address prefixes that match the service tag and automatically updates the service tag as addresses change.
17
+
A service tag can be used when for configuring **Network Security Group**. Alternatively, you can query the IP address prefixes using [Service Tag Discovery API](../virtual-network/service-tags-overview.md#service-tags-on-premises).
18
18
19
-
This article shows you how to create a network security group with inbound/outbound service tags for Azure SignalR Service. Once you've created the network security group, you can apply it to the resource, such as Azure Functions, connecting to SignalR Service.
19
+
## Outbound traffic
20
20
21
-
> [!Note]
22
-
> Starting 15 August 2021, Azure SignalR Service supports bidirectional service tags for both inbound and outbound traffic.
23
-
24
-
## Create a network security group
25
-
26
-
Create a network security group using the Azure portal:
27
-
28
-
1. Search for **Network security groups** in the Azure portal.
29
-
1. Select **Network security groups**.
30
-
1. Select **Create**
31
-
1. Enter the settings for the network security group:
32
-
| Field| Value|
33
-
| Subscription | Your subscription |
34
-
| Resource group | Choose an existing or create a new resource group |
35
-
| Name | Your network security group name |
36
-
| Region | Your region |
37
-
1. Select **Review + create**.
38
-
1. Select **Create**.
21
+
Endpoints of Azure SignalR Service resources are guaranteed to be within IP ranges of Service Tag `AzureSignalR`.
39
22
23
+
### Access Azure SignalR Service from virtual network
40
24
41
-
### Configure outbound traffic
25
+
You can allow outbound traffic from your network to Azure SignalR Service by adding a new outbound network security rule.
42
26
43
-
You can allow outbound traffic to Azure SignalR Service by adding a new outbound network security rule.
44
-
45
-
1. Select **Go to resource** or go to the network security group.
27
+
1. On portal, go to the network security group.
46
28
1. Select on the settings menu called **Outbound security rules**.
47
29
1. Select the **Add** button.
48
30
1. Select **Destination** and choose **Service Tag**.
@@ -54,11 +36,19 @@ You can allow outbound traffic to Azure SignalR Service by adding a new outbound
54
36
1. Adjust other fields as needed.
55
37
1. Select **Add**.
56
38
57
-
### Configure inbound traffic
39
+
## Inbound traffic
40
+
41
+
In following scenarios, Azure SignalR Service can generate network traffic to your resource. The source of traffic is guaranteed to be within IP ranges of Service Tag `AzureSignalR`.
42
+
43
+
* Use [upstream endpoints](concept-upstream.md) in [serverless mode](signalr-concept-azure-functions.md).
44
+
* Use [Key Vault secret reference](concept-upstream.md#key-vault-secret-reference-in-url-template-settings) in URL template settings.
45
+
* Use [custom certificate](howto-custom-domain.md#add-a-custom-certificate).
46
+
47
+
### Upstream endpoints in virtual network
58
48
59
-
If you're using upstream endpoints, you can also enable inbound traffic from Azure SignalR Service by adding a new inbound network security rule:
49
+
You can configure **Network Security Group** to allow inbound traffic to virtual network:
60
50
61
-
1.Go to the network security group.
51
+
1.On portal, go to the network security group.
62
52
1. Select **Inbound security rules**.
63
53
1. Select the **Add** button.
64
54
1. Select **Source** and choose **Service Tag** from the list.
@@ -70,6 +60,19 @@ If you're using upstream endpoints, you can also enable inbound traffic from Azu
70
60
1. Change other settings as needed.
71
61
1. Select **Add**.
72
62
63
+
> [!Note]
64
+
> Azure SignalR Service is a shared service. By allowing Service Tag `AzureSignalR` or its associated IP address prefixes, you also allow traffic from other resources, even if they belong to other customers. Make sure you implement appropriate authentication on your endpoints.
65
+
66
+
### Upstream endpoints of Azure Function
67
+
68
+
You can configure a [service tag-based rule](../app-service/app-service-ip-restrictions.md#set-a-service-tag-based-rule).
69
+
70
+
Alternatively, you can use [Shared Private Endpoints](howto-shared-private-endpoints.md) for better security. Shared Private Endpoints are dedicated to your resources. No traffic from other resources can access your endpoints.
71
+
72
+
### Key vault access
73
+
74
+
We recommend [Shared Private Endpoints](howto-shared-private-endpoints-key-vault.md) for best security.
75
+
73
76
## Next steps
74
77
75
78
-[Network security groups: service tags](../virtual-network/network-security-groups-overview.md#security-rules)
0 commit comments