You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub/iot-hub-understand-ip-address.md
+20-2Lines changed: 20 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,15 +11,33 @@ ms.date: 11/21/2019
11
11
12
12
# IoT Hub IP addresses
13
13
14
-
The IP address prefixes of IoT hub are published periodically under the *AzureIoTHub*[service tag](../virtual-network/service-tags-overview.md). To ensure proper operation, your IoT devices must have outbound connectivity to address prefixes listed under *AzureIoTHub* service tag. Your IoT application services need to additionally have outbound connectivity to address prefixes listed under *EventHub* service tag.
14
+
The IP address prefixes of IoT Hub public endpoints are published periodically under the _AzureIoTHub_[service tag](../virtual-network/service-tags-overview.md). You may use these IP address prefixes to control connectivity between IoT Hub and your devices or network assets in order to implement a variety of network isolation goals:
15
+
16
+
| Goal | Applicable scenarios | Approach |
17
+
|------|-----------|----------|
18
+
| Ensure your devices and services communicate with IoT Hub endpoints only |[Device-to-cloud](./iot-hub-devguide-messaging.md), and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md) and [device streams](./iot-hub-device-streams-overview.md)| Use _AzureIoTHub_ and _EventHub_ service tags to discover IoT Hub, and Event Hub IP address prefixes and configure ALLOW rules on your devices' and services' firewall setting for those IP address prefixes accordingly; drop traffic to other destination IP addresses you do not want the devices or services to communicate with. |
19
+
| Ensure your IoT Hub device endpoint receives connections only from your devices and network assets |[Device-to-cloud](./iot-hub-devguide-messaging.md), and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md) and [device streams](./iot-hub-device-streams-overview.md)| Use IoT Hub [IP filter feature](iot-hub-ip-filtering.md) to allow connections from your devices and network asset IP addresses (see [limitations](#limitations-and-workarounds) section). |
20
+
| Ensure your routes' custom endpoint resources (storage accounts, service bus and event hubs) are reachable from your network assets only |[Message routing](./iot-hub-devguide-messages-d2c.md)| Follow your resource's guidance on restrict connectivity (for example via [firewall rules](../storage/common/storage-network-security.md), [private links](../private-link/private-endpoint-overview.md), or [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md)); use _AzureIoTHub_ service tags to discover IoT Hub IP address prefixes and add ALLOW rules for those IP prefixes on your resource's firewall configuration (see [limitations](#limitations-and-workarounds) section). |
21
+
15
22
16
23
17
24
## Best practices
18
25
26
+
* When adding ALLOW rules in your devices' firewall configuration, it is best to provide specific [ports used by applicable protocols](./iot-hub-devguide-protocols.md#port-numbers).
27
+
19
28
* The IP address prefixes of IoT hub are subject to change. These changes are published periodically via service tags before taking effect. It is therefore important that you develop processes to regularly retrieve and use the latest service tags. This process can be automated via the [service tags discovery API](../virtual-network/service-tags-overview.md#service-tags-on-premises).
29
+
20
30
* Use the *AzureIoTHub.[region name]* tag to identify IP prefixes used by IoT hub endpoints in a specific region. To account for datacenter disaster recovery, or [regional failover](iot-hub-ha-dr.md) ensure connectivity to IP prefixes of your IoT Hub's geo-pair region is also enabled.
21
31
22
32
33
+
## Limitations and workarounds
34
+
35
+
* IoT Hub IP filter feature has a limit of 10 rules. This limit and can be raised via requests through Azure Customer Support.
36
+
37
+
* Your configured [IP filtering rules](iot-hub-ip-filtering.md) are only applied on your IoT Hub IP endpoints and not on your IoT hub's built-in Event Hub endpoint. If you also require IP filtering to be applied on the Event Hub where your messages are stored, you may do so bringing your own Event Hub resource where you can configure your desired IP filtering rules directly. To do so, you need to provision your own Event Hub resource and set up [message routing](./iot-hub-devguide-messages-d2c.md) to send your messages to that resource instead of your IoT Hub's built-in Event Hub. Finally, as discussed in the table above, to enable message routing functionality you also need to allow connectivity from IoT Hub's IP address prefixes to your provisioned Event Hub resource.
38
+
39
+
* When routing to a storage account, allowing traffic from IoT Hub's IP address prefixes is only possible when the storage account is in a different region as your IoT Hub.
0 commit comments