You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: How to use virtual networks connectivity pattern with IoT Hub
3
+
description: How to use the virtual networks connectivity pattern with IoT Hub.
4
4
author: SoniaLopezBravo
5
5
6
6
ms.author: sonialopez
7
7
ms.service: azure-iot-hub
8
8
ms.topic: concept-article
9
-
ms.date: 01/13/2023
9
+
ms.date: 06/26/2025
10
10
---
11
11
12
12
# IoT Hub support for virtual networks with Azure Private Link
13
13
14
14
By default, IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this IoT Hub public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it.
15
15
16
-
16
+
:::image type="content" source="./media/virtual-network-support/public-endpoint.png" alt-text="Diagram showing the IoT Hub public endpoint and various interactions.":::
17
17
18
18
Some IoT Hub features, including [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md), also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. These connectivity paths make up the egress traffic from IoT Hub to customer resources.
19
19
20
-
You might want to restrict connectivity to your Azure resources (including IoT Hub) through a VNet that you own and operate for several reasons, including:
20
+
You might want to restrict connectivity to your Azure resources (including IoT Hub) through a virtual network that you own and operate for several reasons, including:
21
21
22
22
* Introducing network isolation for your IoT hub by preventing connectivity exposure to the public internet.
23
23
@@ -31,41 +31,43 @@ This article describes how to achieve these goals using [Azure Private Link](../
31
31
32
32
## Ingress connectivity to IoT Hub using Azure Private Link
33
33
34
-
A private endpoint is a private IP address allocated inside a customer-owned VNet through which an Azure resource is reachable. With Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) peering to gain connectivity to your VNet and your IoT hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) or [the public network access toggle](iot-hub-public-network-access.md). This approach keeps connectivity to your hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.
34
+
A private endpoint is a private IP address allocated inside a customer-owned virtual network through which an Azure resource is reachable. With Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) peering to gain connectivity to your virtual network and your IoT hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) or [the public network access toggle](iot-hub-public-network-access.md). This approach keeps connectivity to your hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.
35
35
36
-
Before proceeding ensure that the following prerequisites are met:
39
39
40
-
* You've[created an Azure VNet](../virtual-network/quick-create-portal.md) with a subnet in which the private endpoint will be created.
40
+
* You [created an Azure virtual network](../virtual-network/quick-create-portal.md) with a subnet in which to create the private endpoint.
41
41
42
-
* For devices that operate in on-premises networks, set up [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering into your Azure VNet.
42
+
* For devices that operate in on-premises networks, set up [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering into your Azure virtual network.
43
43
44
44
### Set up a private endpoint for IoT Hub ingress
45
45
46
-
Private endpoint works for IoT Hub device APIs (like device-to-cloud messages) and service APIs (like creating and updating devices).
46
+
Private endpoints work for IoT Hub device APIs (like device-to-cloud messages) and service APIs (like creating and updating devices).
47
47
48
48
1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.
49
49
50
-
1.Select**Networking** > **Private access**, and then select **Create a private endpoint**.
50
+
1.In the left-side pane, under **Security settings**, select**Networking** > **Private access**, and then select **Create a private endpoint**.
51
51
52
-
:::image type="content" source="media/virtual-network-support/private-link.png" alt-text="Screenshot showing where to add private endpoint for IoT Hub." border="true":::
52
+
:::image type="content" source="media/virtual-network-support/private-link.png" alt-text="Screenshot showing where to add a private endpoint for an IoT hub." border="true":::
53
53
54
-
1. Provide the subscription, resource group, name, and region to create the new private endpoint. Ideally, a private endpoint should be created in the same region as your hub.
54
+
1. Provide the subscription, resource group, name, network interface name, and region to create the new private endpoint. Ideally, a private endpoint should be created in the same region as your hub.
55
55
56
-
1. Select **Next: Resource**, and provide the subscription for your IoT Hub resource, and select **"Microsoft.Devices/IotHubs"**as resource type, your IoT hub name as **resource**, and **iotHub** as target subresource.
56
+
1. Select **Next: Resource**, and provide the subscription for your IoT Hub resource. Then, select **Microsoft.Devices/IotHubs**for the resource type, your IoT hub name as the resource**, and **iotHub** as the target subresource.
57
57
58
-
1. Select **Next: Configuration** and provide your virtual network and subnet to create the private endpoint in. Select the option to integrate with Azure private DNS zone, if desired.
58
+
1. Select **Next: Virtual Network**, and provide your virtual network and subnet to create the private endpoint in.
59
+
60
+
1. Select **Next: DNS**, and select the option to integrate with private DNS zone, if desired.
59
61
60
62
1. Select **Next: Tags**, and optionally provide any tags for your resource.
61
63
62
-
1. Select **Review + create** to create your private link resource.
64
+
1. Select **Next: Review + create** to review the details for your private link resource, and then select **Create** to create the resource.
63
65
64
66
### Built-in Event Hubs compatible endpoint
65
67
66
-
The [built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md) can also be accessed over private endpoint. When private link is configured, you should see another private endpoint connection for the built-in endpoint. It's the one with `servicebus.windows.net` in the FQDN.
68
+
The [built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md) can also be accessed over private endpoint. When private link is configured, you should see another private endpoint connection and configuration for the built-in endpoint. It's the one with `servicebus.windows.net` in the FQDN.
67
69
68
-
:::image type="content" source="media/virtual-network-support/private-built-in-endpoint.png" alt-text="Screenshot showing two private endpoints given each IoT Hub private link":::
70
+
:::image type="content" source="media/virtual-network-support/private-built-in-endpoint.png" alt-text="Screenshot showing two private endpoints for an IoT Hub private link, highlighting the FQDN and configuration for the built-in endpoint.":::
69
71
70
72
IoT Hub's [IP filter](iot-hub-ip-filtering.md) can optionally control public access to the built-in endpoint.
71
73
@@ -77,9 +79,9 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
77
79
78
80
## Egress connectivity from IoT Hub to other Azure resources
79
81
80
-
IoT Hub can connect to your Azure blob storage, event hub, service bus resources for [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) over the resources' public endpoint. Binding your resource to a VNet blocks connectivity to the resource by default. As a result, this configuration prevents IoT hubs from sending data to your resources. To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the **trusted Microsoft service** option.
82
+
IoT Hub can connect to your Azure blob storage, event hub, service bus resources for [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) over the resources' public endpoint. Binding your resource to a virtual network blocks connectivity to the resource by default. As a result, this configuration prevents IoT hubs from sending data to your resources. To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the **trusted Microsoft service** option.
81
83
82
-
To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use a managed identity. Once a managed identity is provisioned, grant permission to your hub's managed identity to access your custom endpoint. Follow the article [Managed identities support in IoT Hub](./iot-hub-managed-identity.md) to provision a managed identity with Azure role-based access control (RBAC) permission, and add the custom endpoint to your IoT hub. Make sure you turn on the trusted Microsoft first party exception to allow your IoT hubs access to the custom endpoint if you have the firewall configurations in place.
84
+
To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use a managed identity. Once a managed identity is provisioned, grant permission to your hub's managed identity to access your custom endpoint. Follow the procedures provided in [IoT Hub support for managed identities](./iot-hub-managed-identity.md) to provision a managed identity with Azure role-based access control (RBAC) permission, and add the custom endpoint to your IoT hub. To allow your IoT hubs access to the custom endpoint, make sure you turn on the trusted Microsoft first party exception if you have the firewall configurations in place.
83
85
84
86
### Pricing for trusted Microsoft service option
85
87
@@ -89,6 +91,6 @@ Trusted Microsoft first party services exception feature is free of charge. Char
89
91
90
92
Use the following links to learn more about IoT Hub features:
0 commit comments