You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/digital-twins/concepts-security.md
+13-1Lines changed: 13 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ titleSuffix: Azure Digital Twins
5
5
description: Learn about Azure Digital Twins security best practices.
6
6
author: baanders
7
7
ms.author: baanders # Microsoft employees only
8
-
ms.date: 02/02/2023
8
+
ms.date: 03/31/2023
9
9
ms.topic: conceptual
10
10
ms.service: digital-twins
11
11
@@ -97,6 +97,18 @@ You can use either of these managed identity types to authenticate to a [custom-
97
97
98
98
For instructions on how to enable a managed identity for an Azure Digital Twins endpoint that can be used to route events, see [Endpoint options: Identity-based authentication](how-to-create-endpoints.md#endpoint-options-identity-based-authentication).
99
99
100
+
### Using trusted Microsoft service for routing events to Event Hubs and Service Bus endpoints
101
+
102
+
Azure Digital Twins can connect to Event Hubs and Service Bus endpoints for sending event data, using those resources' public endpoints. However, if those resources are bound to a VNet, connectivity to the resources are blocked by default. As a result, this configuration prevents Azure Digital Twins from sending event data to your resources.
103
+
104
+
To resolve this, enable connectivity from your Azure Digital Twins instance to your Event Hubs or Service Bus resources through the the *trusted Microsoft service* option (see [Trusted Microsoft services for Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services) and [Trusted Microsoft services for Service Bus](../service-bus-messaging/service-bus-service-endpoints.md#trusted-microsoft-services)).
105
+
106
+
You'll need to complete the following steps to enable the trusted Microsoft service connection.
107
+
108
+
1. Your Azure Digital Twins instance must use a **system-assigned managed identity**. This allows other services to find your instance as a trusted Microsoft service. For instructions to set up a system-managed identity on the instance, see [Enable managed identity for the instance](how-to-create-endpoints.md#1-enable-managed-identity-for-the-instance).
109
+
1. Once a system-assigned managed identity is provisioned, grant permission for your instance's managed identity to access your Event Hubs or Service Bus endpoint (this feature is not supported in Event Grid). For instructions to assign the proper roles, see [Assign Azure roles to the identity](how-to-create-endpoints.md#2-assign-azure-roles-to-the-identity).
110
+
1. For Event Hubs and Service Bus endpoints that have firewall configurations in place, make sure you enable the **Allow trusted Microsoft services to bypass this firewall** setting.
111
+
100
112
## Private network access with Azure Private Link
101
113
102
114
[Azure Private Link](../private-link/private-link-overview.md) is a service that enables you to access Azure resources (like [Azure Event Hubs](../event-hubs/event-hubs-about.md), [Azure Storage](../storage/common/storage-introduction.md), and [Azure Cosmos DB](../cosmos-db/introduction.md)) and Azure-hosted customer and partner services over a private endpoint in your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments