|
| 1 | +--- |
| 2 | +title: Manage public network access for Azure IoT Device Provisioning Service (DPS) |
| 3 | +description: Documentation on how to disable and enable public network access for Azure IoT Device Provisioning Service (DPS) |
| 4 | +author: v-stharr |
| 5 | +ms.author: anastasia-ms |
| 6 | +ms.service: iot-dps |
| 7 | +services: iot-dps |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 10/06/2021 |
| 10 | +--- |
| 11 | + |
| 12 | +# Manage public network access for your IoT Device Provisioning Service |
| 13 | + |
| 14 | +To restrict access to [a private endpoint for DPS in your VNet](virtual-network-support.md), disable public network access. To do so, use the Azure portal or the `publicNetworkAccess` API. You can also allow public access by using the portal or the `publicNetworkAccess` API. |
| 15 | + |
| 16 | +## Turn off public network access using the Azure portal |
| 17 | + |
| 18 | +To turn off public network access: |
| 19 | + |
| 20 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 21 | +2. On the left-hand menu or on the portal page, select **All resources**. |
| 22 | +3. Select your Device Provisioning Service. |
| 23 | +4. In the **Settings** menu on the left-side, select *Networking*. |
| 24 | +5. Under **Public network access**, select *Disabled* |
| 25 | +6. Select **Save**. |
| 26 | + |
| 27 | + :::image type="content" source="media/iot-dps-public-network-access/disable-public-access.png" alt-text="Image showing Azure portal where to turn off public network access" ::: |
| 28 | + |
| 29 | +To turn on public network access: |
| 30 | + |
| 31 | +1. Select **All networks**. |
| 32 | +2. Select **Save**. |
| 33 | + |
| 34 | +### Access the DPS after disabling the public network access |
| 35 | + |
| 36 | +After public network access is disabled, the DPS instance is accessible only through [its VNet private endpoint using Azure private link](virtual-network-support.md). This restriction includes accessing through the Azure portal, because API calls to the DPS service are made directly using your browser with your credentials. |
| 37 | + |
| 38 | +### DPS endpoint, IP address, and ports after disabling public network access |
| 39 | + |
| 40 | +DPS is a multi-tenant Platform-as-a-Service (PaaS), where different customers share the same pool of compute, networking, and storage hardware resources. DPS's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this DPS public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it. |
| 41 | + |
| 42 | +Disabling public network access is enforced on a specific DPS resource, ensuring isolation. To keep the service active for other customer resources using the public path, its public endpoint remains resolvable, IP addresses discoverable, and ports remain open. This is not a cause for concern as Microsoft integrates multiple layers of security to ensure complete isolation between tenants. To learn more, see [Isolation in the Azure Public Cloud](../security/fundamentals/isolation-choices.md#tenant-level-isolation). |
| 43 | + |
| 44 | +### IP Filter |
| 45 | + |
| 46 | +If public network access is disabled, all [IP Filter](iot-hub-ip-filtering.md) rules are ignored. This is because all IPs from the public internet are blocked. To use IP Filter, use the **Selected IP ranges** option. |
| 47 | + |
| 48 | +### Turn on all network ranges |
| 49 | + |
| 50 | +To turn on all network ranges: |
| 51 | + |
| 52 | +1. Go to the [Azure portal](https://portal.azure.com). |
| 53 | +2. On the left-hand menu or on the portal page, select **All resources**. |
| 54 | +3. Select your Device Provisioning Service. |
| 55 | +4. In the **Settings** menu on the left-side, select *Networking*. |
| 56 | +5. Under **Public network access**, select *All networks* |
| 57 | +6. Select **Save**. |
0 commit comments