Service Bus: Ip has been prevented to connect to the endpoint

Question

Service Bus: Ip has been prevented to connect to the endpoint

Schneider, Michael 65

Since some days we are facing issues with our Azure Functions (ASP) connecting to the Azure Sevice Bus (Standard, not in VNET). This was working before without any issues and since some daiys it is not working anymore on all our environments so I wonder if there is any general issue.

Message: Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint.For more information see:Virtual Network service endpoints

The Azure Functions are communication via Nat Gatway and the public Ip address is set in the IP Filter List of the SBN. The Vnet NSG allwos traffic form Function Vnet to the Subnet, used for the NAT Gateway.

I can see the blocked requests in the SBN Logs. As far as I deactivate the IP filter to allow any traffic, it is working again. I also can see, that the used outbound Ip is exactly the same which is set in the ip filter list. We are susing the AMQP protocol.

Also without Nat and with standard Function Outbound Ips it ist not working

[Error] An unhandled exception occurred in the message batch receive loop (namespace='....servicebus.windows.net', entityPath='.../Subscriptions/...', singleDispatch='False', isSessionsEnabled='False', functionId='Host.Functions.ProcessTripsBc').System.UnauthorizedAccessException : Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint.For more information see:Virtual Network service endpoints:Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044192Service Bus: https://go.microsoft.com/fwlink/?linkid=2044235IP Filters:Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044428Service Bus: https://go.microsoft.com/fwlink/?linkid=2044183TrackingId:0ac55176-7c9d-4577-bc35-246418724a7d_G0

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-04-01T04:19:45.6366667+00:00

Hi @Schneider, Michael , are you using IPv4 address? Are you sure you put the address correctly? Please make sure that your SBN IP filter only contains Public IPv4 address, no vnet CIDR such as 10.x.x.x/24. Did you set the option "Allow Trusted Microsoft services to bypass this firewall"?
Schneider, Michael 65 Reputation points

2025-04-01T06:34:13.2333333+00:00

@Silvia Wibowo Yes I'M using IPv4 and the format is correct, like I said it was working before with the same setup without any issues. The "Allow Trusted Microsoft services to bypass this firewall" is set but the Azure Function is not a trusted Service in this Scenario so it doesn't matter, I'm using it for the APIM which is also communication with the SBN and this is still working. Is there any way to see which IP address is blocked by the Service Bus? In the SBN log I just see provided Message but without corresponding IP address of the connecting service
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-04-01T22:28:05.2233333+00:00
Hi @Schneider, Michael , as your Azure Function is using NAT Gateway, you can test by creating a VM (Windows/Linux) that uses the same NAT Gateway, then run the following command to check if any port is blocked on the firewall. Ports used are 443 (HTTPS), 5671 and 5672 (AMQP) and 9354 (Net Messaging/SBMP). Depending on the library you use, other ports are also used. Here's the sample command that check whether the 5671 port is blocked.

On Windows:

tnc <yournamespacename>.servicebus.windows.net -port 5671

On Linux:

telnet <yournamespacename>.servicebus.windows.net 5671

You can toggle the IP filter on the Service Bus to know whether it makes any difference with the test.

Another possibility: please check whether you have any service endpoint for Service Bus on your Azure Function's subnet.
Schneider, Michael 65 Reputation points

2025-04-02T06:43:13.36+00:00

@Silvia Wibowo Thank you for your quick answer, the Service Endpoint was a good hint, Indeed the SBN was configured in the Subnet as Service Endpoint, I wonder why this was working before, after checking my terraform code base, the last change on the configuration was already month ago. However by removing the Service Endpint, which is not required in my case, it is working again.

Thanks for your Support !
David Winston 0 Reputation points

2025-04-02T09:41:04.9666667+00:00

So your standard-tier Azure Service Bus had a Service Endpoint?
Schneider, Michael 65 Reputation points

2025-04-02T13:17:39.11+00:00

Yes, the Service Endpoint for Service Bus was configured on the subnet used by the Azure Function, and I have now removed it. I was just wondering how it could have worked before without using a Premium Service Bus namespace.

1 answer

Your answer

Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-04-01T04:19:45.6366667+00:00

Hi @Schneider, Michael , are you using IPv4 address? Are you sure you put the address correctly? Please make sure that your SBN IP filter only contains Public IPv4 address, no vnet CIDR such as 10.x.x.x/24. Did you set the option "Allow Trusted Microsoft services to bypass this firewall"?
Schneider, Michael 65 Reputation points

2025-04-01T06:34:13.2333333+00:00

@Silvia Wibowo Yes I'M using IPv4 and the format is correct, like I said it was working before with the same setup without any issues. The "Allow Trusted Microsoft services to bypass this firewall" is set but the Azure Function is not a trusted Service in this Scenario so it doesn't matter, I'm using it for the APIM which is also communication with the SBN and this is still working. Is there any way to see which IP address is blocked by the Service Bus? In the SBN log I just see provided Message but without corresponding IP address of the connecting service
Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator

2025-04-01T22:28:05.2233333+00:00

Hi @Schneider, Michael , as your Azure Function is using NAT Gateway, you can test by creating a VM (Windows/Linux) that uses the same NAT Gateway, then run the following command to check if any port is blocked on the firewall. Ports used are 443 (HTTPS), 5671 and 5672 (AMQP) and 9354 (Net Messaging/SBMP). Depending on the library you use, other ports are also used. Here's the sample command that check whether the 5671 port is blocked.

On Windows:

tnc <yournamespacename>.servicebus.windows.net -port 5671

On Linux:

telnet <yournamespacename>.servicebus.windows.net 5671

You can toggle the IP filter on the Service Bus to know whether it makes any difference with the test.

Another possibility: please check whether you have any service endpoint for Service Bus on your Azure Function's subnet.
Schneider, Michael 65 Reputation points

2025-04-02T06:43:13.36+00:00

@Silvia Wibowo Thank you for your quick answer, the Service Endpoint was a good hint, Indeed the SBN was configured in the Subnet as Service Endpoint, I wonder why this was working before, after checking my terraform code base, the last change on the configuration was already month ago. However by removing the Service Endpint, which is not required in my case, it is working again.

Thanks for your Support !
David Winston 0 Reputation points

2025-04-02T09:41:04.9666667+00:00

So your standard-tier Azure Service Bus had a Service Endpoint?
Schneider, Michael 65 Reputation points

2025-04-02T13:17:39.11+00:00

Yes, the Service Endpoint for Service Bus was configured on the subnet used by the Azure Function, and I have now removed it. I was just wondering how it could have worked before without using a Premium Service Bus namespace.

Answer 1

Hi @Schneider, Michael , thank you for confirming that your issue has been resolved.

Issue:

Service Bus Namespace (Standard SKU) with IP filter (SBN firewall) set to Public IP Address of NAT Gateway.
Azure Function is integrated with vnet, the subnet is set to use NAT Gateway.
Verified that NAT Gateway IP address is correct in SBN firewall.
Request from Azure Function to SBN is blocked.

Solution:

Turns out that Azure Function's subnet has service endpoint for Service Bus. This causes requests from Azure Function is received in SBN with private IP address, not NAT Gateway public IP address.
Remove service endpoint for Service Bus in Azure Function's subnet.
Request from Azure Function to SBN goes through.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Share via

Service Bus: Ip has been prevented to connect to the endpoint

1 answer

Your answer