You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub/iot-hub-understand-ip-address.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,8 +5,8 @@ author: SoniaLopezBravo
5
5
ms.author: sonialopez
6
6
ms.service: azure-iot-hub
7
7
services: iot-hub
8
-
ms.topic: conceptual
9
-
ms.date: 01/28/2022
8
+
ms.topic: concept-article
9
+
ms.date: 05/22/2025
10
10
---
11
11
12
12
@@ -15,15 +15,15 @@ ms.date: 01/28/2022
15
15
The IP address prefixes of IoT Hub public endpoints are published periodically under the _AzureIoTHub_[service tag](../virtual-network/service-tags-overview.md).
16
16
17
17
> [!NOTE]
18
-
> For devices that are deployed inside of on-premises networks, Azure IoT Hub supports VNET connectivity integration with private endpoints. For more information, see [IoT Hub support for VNet](./virtual-network-support.md).
18
+
> For devices that are deployed inside of on-premises networks, Azure IoT Hub supports virtual network connectivity integration with private endpoints. For more information, see [IoT Hub support for virtual networks with Azure Private Link](./virtual-network-support.md).
19
19
20
-
You may use these IP address prefixes to control connectivity between IoT Hub and your devices or network assets in order to implement a variety of network isolation goals:
20
+
You can use these IP address prefixes to control connectivity between IoT Hub and your devices or network assets in order to implement various network isolation goals:
21
21
22
22
| Goal | Applicable scenarios | Approach |
23
23
|------|-----------|----------|
24
-
| Ensure your devices and services communicate with IoT Hub endpoints only |[Device-to-cloud](./iot-hub-devguide-messaging.md), and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md) and [device streams](./iot-hub-device-streams-overview.md)| Use the _AzureIoTHub_ service tag to discover IoT Hub IP address prefixes, then configure ALLOW rules on the firewall setting of your devices and services for these IP address prefixes. Traffic to other destination IP addresses will be dropped. |
25
-
| Ensure your IoT Hub device endpoint receives connections only from your devices and network assets |[Device-to-cloud](./iot-hub-devguide-messaging.md), and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md), and [device streams](./iot-hub-device-streams-overview.md)| Use IoT Hub [IP filter feature](iot-hub-ip-filtering.md) to allow connections from your devices and network asset IP addresses. For details on restrictions, see the [limitations](#limitations-and-workarounds) section. |
26
-
| Ensure your routes' custom endpoint resources (storage accounts, service bus, and event hubs) are reachable from your network assets only |[Message routing](./iot-hub-devguide-messages-d2c.md)| Follow your resource's guidance on restricting connectivity; for example, via [private links](../private-link/private-endpoint-overview.md), [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md), or [firewall rules](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services). For details on firewall restrictions, see the [limitations](#limitations-and-workarounds) section. |
24
+
| Ensure your devices and services communicate with IoT Hub endpoints only |[Device-to-cloud](./iot-hub-devguide-messaging.md) and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md), and [device streams](./iot-hub-device-streams-overview.md)| Use the _AzureIoTHub_ service tag to discover IoT Hub IP address prefixes, then configure ALLOW rules on the firewall setting of your devices and services for these IP address prefixes. Traffic to other destination IP addresses is dropped. |
25
+
| Ensure your IoT Hub device endpoint receives connections only from your devices and network assets |[Device-to-cloud](./iot-hub-devguide-messaging.md) and [cloud-to-device](./iot-hub-devguide-messages-c2d.md) messaging, [direct methods](./iot-hub-devguide-direct-methods.md), [device and module twins](./iot-hub-devguide-device-twins.md), and [device streams](./iot-hub-device-streams-overview.md)| Use IoT Hub [IP filter feature](iot-hub-ip-filtering.md) to allow connections from your devices and network asset IP addresses. For details on restrictions, see the [Limitations and workarounds](#limitations-and-workarounds) section. |
26
+
| Ensure your routes' custom endpoint resources (storage accounts, service bus, and event hubs) are reachable from your network assets only |[Message routing](./iot-hub-devguide-messages-d2c.md)| Follow your resource's guidance on restricting connectivity; for example, via [private links](../private-link/private-endpoint-overview.md), [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md), or [firewall rules](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services). For details on firewall restrictions, see the [Limitations and workarounds](#limitations-and-workarounds) section. |
27
27
28
28
## Best practices
29
29
@@ -33,17 +33,17 @@ You may use these IP address prefixes to control connectivity between IoT Hub an
33
33
34
34
* Use the _AzureIoTHub.[region name]_ tag to identify IP prefixes used by IoT Hub endpoints in a specific region. To account for datacenter disaster recovery or [regional failover](iot-hub-ha-dr.md), ensure connectivity to IP prefixes of your IoT hub's geo-pair region is also enabled.
35
35
36
-
* Setting up firewall rules in IoT Hub may block off connectivity needed to run Azure CLI and PowerShell commands against your IoT Hub. To avoid this, you can add ALLOW rules for your clients' IP address prefixes to re-enable CLI or PowerShell clients to communicate with your IoT Hub.
36
+
* Setting up firewall rules in IoT Hub might block off connectivity needed to run Azure CLI and PowerShell commands against your IoT hub. To avoid blocking connectivity, you can add ALLOW rules for your clients' IP address prefixes to re-enable CLI or PowerShell clients to communicate with your IoT hub.
37
37
38
38
* When adding ALLOW rules in your devices' firewall configuration, it’s best to provide specific [ports used by applicable protocols](./iot-hub-devguide-protocols.md#port-numbers).
39
39
40
40
## Limitations and workarounds
41
41
42
42
* IoT Hub IP filter feature has a limit of 100 rules. This limit and can be raised via requests through Azure Customer Support.
43
43
44
-
* By default, your configured [IP filtering rules](iot-hub-ip-filtering.md) are only applied on your IoT Hub IP endpoints and not on your IoT hub's built-in event hub endpoint. If you also require IP filtering to be applied on the event hub where your messages are stored, you may select the "Apply IP filters to the built-in endpoint" option in the IoT Hub Network settings. You can do the same thing by using your own Event Hubs resource where you can configure your desired IP filtering rules directly. In this case, you need to provision your own Event Hubs resource and set up [message routing](./iot-hub-devguide-messages-d2c.md) to send your messages to that resource instead of your IoT Hub's built-in event hub.
44
+
* By default, your configured [IP filtering rules](iot-hub-ip-filtering.md) are only applied on your IoT Hub IP endpoints and not on your IoT hub's built-in event hub endpoint. If you also require IP filtering to be applied on the event hub where your messages are stored, you can select the "Apply IP filters to the built-in endpoint?" option in the Networking settings for your IoT hub. You can do the same thing by using your own Event Hubs resource where you can configure your desired IP filtering rules directly. In this case, you need to provision your own Event Hubs resource and set up [message routing](./iot-hub-devguide-messages-d2c.md) to send your messages to that resource instead of your IoT hub's built-in event hub.
45
45
46
-
* IoT Hub Service Tags only contain IP ranges for inbound connections. To limit firewall access on other Azure services to data coming from IoT Hub Message Routing, please choose the appropriate "Allow Trusted Microsoft Services" option for your service; for example, [Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services), [Service Bus](..//service-bus-messaging/service-bus-service-endpoints.md#trusted-microsoft-services), [Azure Storage](../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services).
46
+
* IoT Hub service tags only contain IP ranges for inbound connections. To limit firewall access on other Azure services to data coming from IoT Hub message routing, choose the appropriate "Allow Trusted Microsoft Services" option for your service; for example, [Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services), [Service Bus](..//service-bus-messaging/service-bus-service-endpoints.md#trusted-microsoft-services), or[Azure Storage](../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services).
0 commit comments