Merge pull request #104992 from spelluru/ehubprivatelink0220

Private End Points

Author: GitHubber17

.openpublishing.redirection.json

@@ -13609,6 +13609,11 @@
       "redirect_url": "/azure/event-hubs/authorize-access-azure-active-directory",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/event-hubs/event-hubs-tutorial-virtual-networks-firewalls.md",
+      "redirect_url": "/azure/event-hubs/event-hubs-service-endpoints",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "articles/active-directory/active-directory-saml-protocol-reference.md",
       "redirect_url": "/azure/active-directory/develop/active-directory-saml-protocol-reference",

articles/event-hubs/TOC.yml

@@ -115,6 +115,8 @@
           href: authenticate-application.md
       - name: Authenticate with a shared access signature
         href: authenticate-shared-access-signature.md
+    - name: Network security
+      href: network-security.md
     - name: Built-in security controls
       href: event-hubs-security-controls.md
   - name: AMQP 1.0 protocol guide
@@ -182,13 +184,13 @@
       href: event-hubs-management-libraries.md
   - name: Secure 
     items:
-    - name: Use firewalls
+    - name: Configure IP firewall
       href: event-hubs-ip-filtering.md
-    - name: Use virtual network service endpoints
+    - name: Configure virtual network service endpoints
       href: event-hubs-service-endpoints.md
-    - name: Enable Virtual Networks Integration and Firewalls on Event Hubs Namespace
-      href: event-hubs-tutorial-virtual-networks-firewalls.md
-    - name: Configure customer-managed keys for encrypting data at rest
+    - name: Configure private endpoints (preview)
+      href: private-link-service.md
+    - name: Configure customer-managed keys
       href: configure-customer-managed-key.md
   - name: Troubleshoot
     items:

articles/event-hubs/event-hubs-ip-filtering.md

@@ -15,44 +15,31 @@ ms.author: spelluru
 
 ---
 
-# Azure Event Hubs - use firewall rules
+# Configure IP firewall rules for an Azure Event Hubs namespace
+By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.
 
-For scenarios in which Azure Event Hubs should be only accessible from certain well-known sites, firewall rules enable you to configure rules for accepting traffic originating from specific IPv4 addresses. For example, these addresses may be those of a corporate NAT gateway.
+This feature is helpful in scenarios in which Azure Event Hubs should be only accessible from certain well-known sites. Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. For example, if you use Event Hubs with [Azure Express Route][express-route], you can create a **firewall rule** to allow traffic from only your on-premises infrastructure IP addresses. 
 
-## When to use
+## IP firewall rules
+The IP firewall rules are applied at the Event Hubs namespace level. Therefore, the rules apply to all connections from clients using any supported protocol. Any connection attempt from an IP address that does not match an allowed IP rule on the Event Hubs namespace is rejected as unauthorized. The response does not mention the IP rule. IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.
 
-If you are looking to setup your Event Hubs namespace such that it should receive traffic from only a specified range of IP addresses and reject everything else, then you can leverage a *Firewall rule* to block Event Hub endpoints from other IP addresses. For example, if you use Event Hubs with [Azure Express Route][express-route], you can create a *Firewall rule* to restrict the traffic from your on-premises infrastructure IP addresses.
+## Use Azure portal
+This section shows you how to use the Azure portal to create IP firewall rules for an Event Hubs namespace. 
 
-## How filter rules are applied
+1. Navigate to your **Event Hubs namespace** in the [Azure portal](https://portal.azure.com).
+2. On the left menu, select **Networking** option. By default, the **All networks** option is selected. Your event hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. 
 
-The IP filter rules are applied at the Event Hubs namespace level. Therefore, the rules apply to all connections from clients using any supported protocol.
+    ![Firewall - All networks option selected](./media/event-hubs-firewall/firewall-all-networks-selected.png)
+1. Select the **Selected networks** option at the top of the page. In the **Firewall** section, follow these steps:
+    1. Select **Add your client IP address** option to give your current client IP the access to the namespace. 
+    2. For **address range**, enter a specific IPv4 address or a range of IPv4 address in CIDR notation. 
+    3. Specify whether you want to **allow trusted Microsoft services to bypass this firewall**. 
 
-Any connection attempt from an IP address that does not match an allowed IP rule on the Event Hubs namespace is rejected as unauthorized. The response does not mention the IP rule.
+        ![Firewall - All networks option selected](./media/event-hubs-firewall/firewall-selected-networks-trusted-access-disabled.png)
+3. Select **Save** on the toolbar to save the settings. Wait for a few minutes for the confirmation to show up on the portal notifications.
 
-## Default setting
 
-By default, the **IP Filter** grid in the portal for Event Hubs is empty. This default setting means that your event hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.
-
-## IP filter rule evaluation
-
-IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.
-
->[!WARNING]
-> Implementing Firewalls can prevent other Azure services from interacting with Event Hubs.
->
-> Trusted Microsoft services are not supported when IP Filtering (Firewalls) are implemented, and will be made available soon.
->
-> Common Azure scenarios that don't work with IP Filtering (note that the list is **NOT** exhaustive) -
-> - Azure Stream Analytics
-> - Integration with Azure Event Grid
-> - Azure IoT Hub Routes
-> - Azure IoT Device Explorer
->
-> The below Microsoft services are required to be on a virtual network
-> - Azure Web Apps
-> - Azure Functions
-
-### Creating a Firewall rule with Azure Resource Manager templates
+## Use Resource Manager template
 
 > [!IMPORTANT]
 > Firewall rules are supported in **standard** and **dedicated** tiers of Event Hubs. It's not supported in basic tier.
@@ -131,6 +118,7 @@ Template parameters:
                 "action":"Allow"
             }
           ],
+          "trustedServiceAccessEnabled": false,
           "defaultAction": "Deny"
         }
       }

articles/event-hubs/event-hubs-service-endpoints.md

@@ -21,48 +21,56 @@ The integration of Event Hubs with [Virtual Network (VNet) Service Endpoints][vn
 
 Once configured to bound to at least one virtual network subnet service endpoint, the respective Event Hubs namespace no longer accepts traffic from anywhere but authorized subnets in virtual networks. From the virtual network perspective, binding an Event Hubs namespace to a service endpoint configures an isolated networking tunnel from the virtual network subnet to the messaging service. 
 
-The result is a private and isolated relationship between the workloads bound to the subnet and the respective Event Hubs namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range. There is an exception to this behavior. Enabling a service endpoint, by default, enables the denyall rule in the IP firewall associated with the virtual network. You can add specific IP addresses in the IP firewall to enable access to the Event Hub public endpoint. 
-
-
->[!WARNING]
-> Implementing Virtual Networks integration can prevent other Azure services from interacting with Event Hubs.
->
-> Trusted Microsoft services are not supported when Virtual Networks are implemented.
->
-> Common Azure scenarios that don't work with Virtual Networks (note that the list is **NOT** exhaustive) -
-> - Integration with Azure Monitor. You can't stream diagnostic logs from **other** Azure services into Event Hubs. However, you can enable Azure diagnostic logs on the event hub itself. It's the same case when you have the firewall (IP filtering) enabled.
-> - Azure Stream Analytics
-> - Integration with Azure Event Grid
-> - Azure IoT Hub Routes
-> - Azure IoT Device Explorer
->
-> The below Microsoft services are required to be on a virtual network
-> - Azure Web Apps
-> - Azure Functions
+The result is a private and isolated relationship between the workloads bound to the subnet and the respective Event Hubs namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range. There is an exception to this behavior. Enabling a service endpoint, by default, enables the `denyall` rule in the [IP firewall](event-hubs-ip-filtering.md) associated with the virtual network. You can add specific IP addresses in the IP firewall to enable access to the Event Hub public endpoint. 
 
 > [!IMPORTANT]
-> Virtual networks are supported in **standard** and **dedicated** tiers of Event Hubs. It's not supported in basic tier.
+> Virtual networks are supported in **standard** and **dedicated** tiers of Event Hubs. It's not supported in the **basic** tier.
 
 ## Advanced security scenarios enabled by VNet integration 
 
 Solutions that require tight and compartmentalized security, and where virtual network subnets provide the segmentation between the compartmentalized services, still need communication paths between services residing in those compartments.
 
-Any immediate IP route between the compartments, including those carrying HTTPS over TCP/IP, carries the risk of exploitation of vulnerabilities from the network layer on up. Messaging services provide completely insulated communication paths, where messages are even written to disk as they transition between parties. Workloads in two distinct virtual networks that are both bound to the same Event Hubs instance can communicate efficiently and reliably via messages, while the respective network isolation boundary integrity is preserved.
+Any immediate IP route between the compartments, including those carrying HTTPS over TCP/IP, carries the risk of exploitation of vulnerabilities from the network layer on up. Messaging services provide insulated communication paths, where messages are even written to disk as they transition between parties. Workloads in two distinct virtual networks that are both bound to the same Event Hubs instance can communicate efficiently and reliably via messages, while the respective network isolation boundary integrity is preserved.
 
 That means your security sensitive cloud solutions not only gain access to Azure industry-leading reliable and scalable asynchronous messaging capabilities, but they can now use messaging to create communication paths between secure solution compartments that are inherently more secure than what is achievable with any peer-to-peer communication mode, including HTTPS and other TLS-secured socket protocols.
 
-## Bind Event Hubs to Virtual Networks
+## Bind event hubs to virtual networks
+
+**Virtual network rules** are the firewall security feature that controls whether your Azure Event Hubs namespace accepts connections from a particular virtual network subnet.
+
+Binding an Event Hubs namespace to a virtual network is a two-step process. You first need to create a **virtual Network service endpoint** on a virtual network's subnet and enable it for **Microsoft.EventHub** as explained in the [service endpoint overview][vnet-sep] article. Once you have added the service endpoint, you bind the Event Hubs namespace to it with a **virtual network rule**.
+
+The virtual network rule is an association of the Event Hubs namespace with a virtual network subnet. While the rule exists, all workloads bound to the subnet are granted access to the Event Hubs namespace. Event Hubs itself never establishes outbound connections, doesn't need to gain access, and is therefore never granted access to your subnet by enabling this rule.
+
+## Use Azure portal
+This section shows you how to use Azure portal to add a virtual network service endpoint. To limit access, you need to integrate the virtual network service endpoint for this Event Hubs namespace.
+
+1. Navigate to your **Event Hubs namespace** in the [Azure portal](https://portal.azure.com).
+2. On the left menu, select **Networking** option. By default, the **All networks** option is selected. Your event hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. 
+
+    ![Firewall - All networks option selected](./media/event-hubs-firewall/firewall-all-networks-selected.png)
+1. Select the **Selected Networks** option at the top of the page.
+2. In the **Virtual Network** section of the page, select **+Add existing virtual network***. 
+
+    ![add existing virtual network](./media/event-hubs-tutorial-vnet-and-firewalls/add-vnet-menu.png)
+3. Select the virtual network from the list of virtual networks, and then pick the **subnet**. You have to enable the service endpoint before adding the virtual network to the list. If the service endpoint isn't enabled, the portal will prompt you to enable it.
+   
+   ![select subnet](./media/event-hubs-tutorial-vnet-and-firewalls/select-subnet.png)
+
+4. You should see the following successful message after the service endpoint for the subnet is enabled for **Microsoft.EventHub**. Select **Add** at the bottom of the page to add the network. 
+
+    ![select subnet and enable endpoint](./media/event-hubs-tutorial-vnet-and-firewalls/subnet-service-endpoint-enabled.png)
 
-*Virtual network rules* are the firewall security feature that controls whether your Azure Event Hubs namespace accepts connections from a particular virtual network subnet.
+    > [!NOTE]
+    > If you are unable to enable the service endpoint, you may ignore the missing virtual network service endpoint using the Resource Manager template. This functionality is not available on the portal.
+6. Select **Save** on the toolbar to save the settings. Wait for a few minutes for the confirmation to show up on the portal notifications.
 
-Binding an Event Hubs namespace to a virtual network is a two-step process. You first need to create a **Virtual Network service endpoint** on a Virtual Network subnet and enable it for "Microsoft.EventHub" as explained in the [service endpoint overview][vnet-sep]. Once you have added the service endpoint, you bind the Event Hubs namespace to it with a *virtual network rule*.
+    ![Save network](./media/event-hubs-tutorial-vnet-and-firewalls/save-vnet.png)
 
-The virtual network rule is an association of the Event Hubs namespace with a virtual network subnet. While the rule exists, all workloads bound to the subnet are granted access to the Event Hubs namespace. Event Hubs itself never establishes outbound connections, does not need to gain access, and is therefore never granted access to your subnet by enabling this rule.
 
-### Create a virtual network rule with Azure Resource Manager templates
+## Use Resource Manager template
 
-The following Resource Manager template enables adding a virtual network rule to an existing Event Hubs 
-namespace.
+The following Resource Manager template enables adding a virtual network rule to an existing Event Hubs namespace.
 
 Template parameters:
 
@@ -175,6 +183,7 @@ Template parameters:
             }
           ],
           "ipRules":[<YOUR EXISTING IP RULES>],
+          "trustedServiceAccessEnabled": false,
           "defaultAction": "Deny"
         }
       }