Notification hub - Disable public network access

Mateusz U 61 Reputation points
2023-07-09T20:08:27.86+00:00

Hello,

We are evaluating using Notification Hub in our organization but our security is quite strict. Right now we haven't found any other option then to call notification hub instance through public internet with only shared access signature being a security measure.

We were wondering if there is any option that public access to notification hub can be disabled / maybe some half-measures to additionally protect the resource ? So far most of our integrations involved at least mTLS/VPN/private endpoint. With Notification Hub we have big concerns.

Is there maybe anything on the roadmap regarding security area ?

Azure Notification Hubs
Azure Notification Hubs
An Azure service that is used to send push notifications to all major platforms from the cloud or on-premises environments.
342 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,081 questions
0 comments No comments
{count} votes

Accepted answer
  1. brtrach-MSFT 17,391 Reputation points Microsoft Employee
    2023-07-19T20:18:57.2133333+00:00

    @Mateusz U I want to apologize as Notification Hubs seems to have changed with our //Build 2023 release that came out in May and my old notes that I previously used, are no longer valid.

    An up to date look at the security features available to Azure Notification Hub are:

    1. Authentication and authorization: You can use Azure Active Directory (AAD) or Shared Access Signature (SAS) authentication to authenticate and authorize access to your Notification Hub. AAD authentication allows you to use your existing AAD credentials to authenticate access to your Notification Hub, while SAS authentication allows you to create and manage shared access policies and keys for your Notification Hub.
    2. Encryption: You can use transport layer security (TLS) to encrypt traffic between your Notification Hub and your clients. You can also use client-side encryption to encrypt the payload of your notifications before sending them to your Notification Hub.
    3. Monitoring and logging: You can use Azure Monitor to monitor the health and performance of your Notification Hub. You can also use Azure Log Analytics to collect and analyze logs from your Notification Hub.
    4. Compliance: You can use Azure Policy to enforce compliance with regulatory and organizational policies for your Notification Hub. You can also use Azure Security Center to monitor and assess the security posture of your Notification Hub.

    The product group verified that VNet or NSG solutions are not available to limit access to Azure Notification Hub.

    Please let us know if you have any further questions or concerns.

    Lastly, if this answer helps, we ask you to provide another survey or mark this answer as valid as it helps us to recover from the previous not helpful survey. Thank you for your understanding.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. brtrach-MSFT 17,391 Reputation points Microsoft Employee
    2023-07-12T03:07:15.8933333+00:00

    @Mateusz U Thank you for considering Notification Hub for your organization. I understand that you have concerns about security and would like to know if there is any way to disable public access to Notification Hub.

    One of these features is Shared Access Signatures (SAS), which you mentioned. SAS allows you to grant limited access to your Notification Hub instance to clients without sharing your primary access key. You can create SAS tokens with different levels of permissions, such as read, write, or manage, and set an expiration time for them. This way, you can control who can access your Notification Hub instance and for how long.

    You can link your Notification Hub to an Azure Service Bus namespace, which can be integrated with a virtual network for enhanced security.

    1. Create an Azure Service Bus namespace.
    2. Create a Shared Access Policy for the Service Bus namespace.
    3. Retrieve the connection string for the Service Bus namespace.
    4. In the Azure portal, navigate to your Notification Hub
    5. In the left-hand menu, click on "Push settings".
    6. Under "Backend", select "Azure Service Bus".
    7. Enter the connection string for the Service Bus namespace.
    8. Enter the name of the Shared Access Policy you created in step 2.
    9. Click "Save".

    Linking your Notification Hub to a Service Bus namespace that is integrated with a virtual network can provide additional security benefits by allowing you to control network traffic to and from your Notification Hub.

    When you integrate your Service Bus namespace with a virtual network, you can use network security groups (NSGs) and virtual network service endpoints to control access to your Service Bus namespace. NSGs allow you to create inbound and outbound security rules that can restrict traffic to and from your Service Bus namespace. Virtual network service endpoints allow you to extend your virtual network's private address space to your Service Bus namespace, which can help protect your data in transit.

    By controlling network traffic to and from your Service Bus namespace, you can help protect your Notification Hub from unauthorized access and can help prevent malicious traffic from reaching your Notification Hub. Additionally, by using a private IP address space for your Service Bus namespace, you can help protect your data from exposure to the public internet.

    To send sensitive payloads, we recommend using a Secure Push pattern. The sender delivers a ping notification with a message identifier to the device without the sensitive payload. When the app on the device receives the payload, the app calls a secure API directly to fetch the message details.

    Azure Notification Hubs encrypts all customer data at rest with the exception of registration tags. For this reason, you should not store personal or confidential data using tags.

    I would suggest you keep an eye on Azure Roadmap, which is where product groups share information on upcoming products/features as they're in development, preview, and general availability.

    0 comments No comments

  2. Mateusz U 61 Reputation points
    2023-07-12T16:15:01.8866667+00:00

    Thank you very much for your response. But regarding point no. 5 I can't find the "Push settings" option. Is there maybe some condition for it to show ? SKU is "S1 - Standard"

    Thank you very much for your response. But regarding point no. 5 I can't find the "Push settings" option. Is there maybe some condition for it to show ? SKU is "S1 - Standard"

    Location - West Europe

    User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.