Connect IoTHub with EventHub disabling public access and using private endpoints

G Cocci 211 Reputation points Microsoft Employee
2022-12-21T11:19:51.687+00:00

Hi,

I have a need to configure routing from an IoTHub to an EventHub via a custom endpoint.

Both resources have disabled access from the public network and both have a private endpoint on the same virtual network.

I have enabled the Managed Identity on the IoTHub and assigned to it the "Azure Event Hub Data Sender" role on the Event Hub.

When I try to create the custom endpoint I get the following error message:

An unexpected error occurred while updating your IoT hub. Error message: Cannot establish connection using the provided credentials. endpointName: event-hub-batch-endpoint, exceptionMessage:Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint.

Is it possible to do this configuration with both resources with blocked access from public network?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,115 questions
Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
556 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AshokPeddakotla-MSFT 27,311 Reputation points
    2022-12-26T12:14:16.703+00:00

    @G Cocci Are you still blocked?

    I understand that you have enabled the Managed Identity on the IoTHub and assigned to it the "Azure Event Hub Data Sender" role on the Event Hub.

    Can you confirm have you assigned System-assigned managed identity or User-assigned managed identity?

    274028-image.png

    Please note that, Only system-assigned managed identity gives IoT Hub access to private resources. If you want to use user-assigned managed identity, then the public access on those private resources needs to be enabled in order to allow connectivity.

    Also, Make sure VNET and IP rules are properly configured.

    To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use the managed identity. Once a managed identity is provisioned, you need to grant the Azure RBAC permission to your hub's managed identity to access your custom endpoint. Follow the article Managed identities support in IoT Hub to provision a managed identity with Azure RBAC permission, and add the custom endpoint to your IoT Hub. Make sure you turn on the trusted Microsoft first party exception to allow your IoT Hub's access to the custom endpoint if you have the firewall configurations in place.

    From the doc, you need to do the following steps:

    • Enable system-assigned identity for your IoT hub
    • Add the identity to the Azure Event Hubs Data Sender role on the Event Hubs namespace.
    • Then, configure the IoT Hub that uses an event hub as a custom endpoint to use the identity-based authentication.

    274073-image.png

    Is it possible to do this configuration with both resources with blocked access from public network?

    For more details, please refer to IoT Hub support for managed identities and IoT Hub support for virtual networks with Private Link and Managed Identity.

    Let us know if it helps to resolve the issue or have any further queries.

    If the response is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments