aa

Author: bjqian

articles/azure-signalr/signalr-howto-config-application-firewall.md

@@ -65,7 +65,7 @@ Client Connection Count Rules restrict concurrent client connections. When a cli
 # [Portal](#tab/Portal)
 To use Application Firewall, navigate to the SignalR **Application Firewall** blade on the Azure portal and click **Add** to add a rule. 
 
-![Screenshot of creating replica for Azure SignalR on Portal.](./media/signalr-howto-config-application-firewall/signalr-add-application-firewall-rule.png "Add rule")
+![Screenshot of adding application firewall rules for Azure SignalR on Portal.](./media/signalr-howto-config-application-firewall/signalr-add-application-firewall-rule.png "Add rule")
 
 # [Bicep](#tab/Bicep)
 
@@ -101,7 +101,7 @@ resource signalr 'Microsoft.SignalRService/signalr@2024-04-01-preview' = {
                 type: 'ThrottleByJwtCustomClaimRule'  
                 maxCount: 100
                 claimName: 'paidUser'
-          }
+            }
         ]
     }
   }

articles/azure-web-pubsub/howto-config-application-firewall.md

@@ -1,14 +1,14 @@
 ---
-title: SignalR Application Firewall (Preview)
-description: An introduction about why and how to setup Application Firewall for Azure SignalR service
+title: Web PubSub Application Firewall (Preview)
+description: An introduction about why and how to setup Application Firewall for Azure Web PubSub service
 author: biqian
-ms.service: signalr
+ms.service: azure-web-pubsub
 ms.custom: devx-track-azurecli
 ms.topic: how-to
 ms.date: 07/10/2024
 ms.author: biqian
 ---
-# Application Firewall for Azure SignalR Service
+# Application Firewall for Azure Web PubSub Service
 
 The Application Firewall provides sophisticated control over client connections in a distributed system. Before diving into its functionality and setup, let's clarify what the Application Firewall does not do:
 
@@ -21,12 +21,11 @@ The Application Firewall consists of various rule lists. Currently, there is a r
 
 This guideline is divided into three parts:
 1. Introduction to different application firewall rules.
-2. Instructions on configuring the rules using the Portal or Bicep on the SignalR service side.
+2. Instructions on configuring the rules using the Portal or Bicep on the Web PubSub service side.
 3. Steps to configure the token on the server side.
 
 ## Prerequisites
-
-* An Azure SignalR Service in [Premium tier](https://azure.microsoft.com/pricing/details/signalr-service/).
+* A Web PubSub resource in [premium tier](https://azure.microsoft.com/pricing/details/web-pubsub/).
 
 ## Client Connection Count Rules
 Client Connection Count Rules restrict concurrent client connections. When a client attempts to establish a new connection, the rules are checked **sequentially**. If any rule is violated, the connection is rejected with a status code 429.
@@ -45,37 +44,29 @@ Client Connection Count Rules restrict concurrent client connections. When a cli
    **Note:** It's not guaranteed by default that tokens generated by the SDK are different each time. Though each token contaisn a timestamp, this timestamp might be the same if vast tokens are generated within seconds. To avoid identical tokens, insert a random claim into the token claims.  Refer to [Configure access token](#configure-access-token).
 
 
-   #### ThrottleByJwtCustomClaimRule
-
-   More advancedly, connections could be grouped into different groups according to custom claim. Connections with the same claim will be aggregated to do the check.  For example, you could add a *ThrottleByJwtCustomClaimRule* to allow 5 concurrent connections for those with custom claim key "freeUser".
-
-   **Key point**: The rule applies to all claims with a certain claim name. The connection count aggregation is on the same claim (including claim name and claim value). The *ThrottleByUserIdRule* is a special case of this rule, applying to all connections with the userIdentity claim.
-   
-
-
  ### Best Practice
   #### Avoid using too aggressive maxCount
 
-  Client connections may close without completing the tcp handshake. SignalR service can't detect those "half-closed" connections immediately. The connection is taken as active until the heartbeart failure. Therefore, aggressive throttling strategies might unexpectedly throttle clients. A smoother approach is to **leave some buffer** for the connection count, for example: double the *maxCount*.
+  Client connections may close without completing the tcp handshake. Web PubSub service can't detect those "half-closed" connections immediately. The connection is taken as active until the heartbeart failure. Therefore, aggressive throttling strategies might unexpectedly throttle clients. A smoother approach is to **leave some buffer** for the connection count, for example: double the *maxCount*.
 
 
 
 ## Setup Application Firewall 
 
 # [Portal](#tab/Portal)
-To use Application Firewall, navigate to the SignalR **Application Firewall** blade on the Azure portal and click **Add** to add a rule. 
+To use Application Firewall, navigate to the Web PubSub **Application Firewall** blade on the Azure portal and click **Add** to add a rule. 
 
-![Screenshot of creating replica for Azure SignalR on Portal.](./media/signalr-howto-config-application-firewall/add-application-firewall-rule.png "Add rule")
+![Screenshot of adding application firewall rules for Azure Web PubSub on Portal.](./media/howto-config-application-firewall/add-application-firewall-rule.png "Add rule")
 
 # [Bicep](#tab/Bicep)
 
 Use Visual Studio Code or your favorite editor to create a file with the following content and name it main.bicep:
 
 ```bicep
-@description('The name for your SignalR service')
+@description('The name for your Web PubSub service')
 param resourceName string = 'contoso'
 
-resource signalr 'Microsoft.SignalRService/signalr@2024-04-01-preview' = {
+resource webpubsub 'Microsoft.SignalRService/webpubsub@2024-04-01-preview' = {
   name: resourceName
   properties: {
     applicationFirewall:{
@@ -90,18 +81,6 @@ resource signalr 'Microsoft.SignalRService/signalr@2024-04-01-preview' = {
                 type: 'ThrottleByJwtSignatureRule'
                 maxCount: 10
             }
-            {
-                // This rule will be skipped if no freeUser claim is set
-                type: 'ThrottleByJwtCustomClaimRule'
-                maxCount: 10
-                claimName: 'freeUser'
-            }
-            {
-                // This rule will be skipped if no paidUser claim is set
-                type: 'ThrottleByJwtCustomClaimRule'  
-                maxCount: 100
-                claimName: 'paidUser'
-          }
         ]
     }
   }
@@ -119,33 +98,17 @@ Deploy the Bicep file using Azure CLI
 
 
 ## Configure access token
-The application firewall rules only take effect when the access token contains the corresponding claim. A rule will be **skipped** if the connection does not have the corresponding claim. 
 
-Below is an example to add userId or custom claim in the access token in **Default Mode**:
+The application firewall rules only take effect when the access token contains the corresponding claim. A rule will be **skipped** if the connection does not have the corresponding claim. *userId" and *roles* are currently supported claims in the SDK.
+
+Below is an example to add userId and insert a unique placeholder in the access token:
 
 ```cs
-services.AddSignalR().AddAzureSignalR(options =>
-    {
-        //  Add necessary claims according to your rules.
-        options.ClaimsProvider = context => new[]
-        {
-            // Add UserId: Used in ThrottleByUserIdRule
-            new Claim(ClaimTypes.NameIdentifier, context.Request.Query["username"]),
-
-            // Add unique claim: Ensure uniqueness when using ThrottleByJwtSignatureRule. 
-            // The token name is not important. You could change it as you like.
-            new Claim("uniqueToken", Guid.NewGuid().ToString()),
-           
-            // Cutom claim: Used in ThrottleByJwtCustomClaimRule
-            new Claim("<Custom Claim Name>", "<Custom Claim Value>"),
-            // Custom claim example
-            new Claim("freeUser", context.Request.Query["username"]),
-        };
-    });
+// The GUID role wont have any effect. But it esures this token's uniqueness when using rule ThrottleByJwtSignatureRule.
+var url = service.GetClientAccessUri((userId: "user1" , roles: new string[] {  "webpubsub.joinLeaveGroup.group1", Guid.NewGuid().ToString()});
 ```
-The logic for **Serverless Mode** is similar.
 
-For more details, refer to [Client negotiation](signalr-concept-client-negotiation.md#What-can-you-do-during-negotiation) .  
+For more details, refer to [Client negotiation](howto-generate-client-access-url.md#generate-from-service-sdk) .