Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Please note that there is no direct integration between Public IP of the Azure Firewall and an Eventhub.
As you mentioned, you can use the DNAT Feature of Azure Firewall to redirect incoming traffic to a private resource behind the Azure Firewall.
The intended purpose of DNAT rules in Azure Firewall is primarily to provide Layer 4 IP/Port translation.
- For any HTTPS Traffic, customers are recommended to use Azure App gateway or Azure App gateway + Azure Firewall in Parallel.
- This document, talks about this in detail.
- Moreover, I noticed there is no inbuilt support for custom domains in Event Hubs.
Wrt the last point above,
- You must make sure the requests hitting your PaaS service (EventHub) uses the proper domain name of your service.
- i.e., << {{ Namespace Name }}.servicebus.windows.net >>
- Please go through this document on why this would cause an issue : Host Name preservation in Azure
- In your case, it should be contoso.servicebus.windows.net instead of contoso.azurewebsites.net
- I would suggest you to leverage Azure App gateway and add the Event Hub Private EndPoint as the backend and see if this works.
Since there are no documents on this design, you can create a Dev/Test environment as above and let us know if there are any issues.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.