Use service tags for Azure SignalR Service

You can use Service Tags to identify Azure SignalR Service traffic. A service tag represents a group of IP address prefixes. Azure SignalR Service manages a service tag called AzureSignalR for both inbound and outbound traffic.

A service tag can be used when for configuring Network Security Group. Alternatively, you can query the IP address prefixes using Service Tag Discovery API.

Outbound traffic

Endpoints of Azure SignalR Service resources are guaranteed to be within IP ranges of Service Tag AzureSignalR.

Access Azure SignalR Service from virtual network

You can allow outbound traffic from your network to Azure SignalR Service by adding a new outbound network security rule.

1. On portal, go to the network security group.

2. Select on the settings menu called Outbound security rules.

3. Select the Add button.

4. Select Destination and choose Service Tag.

5. Select Destination service tag and choose AzureSignalR.

6. Enter 443 in Destination port ranges.

   

7. Adjust other fields as needed.

8. Select Add.

Inbound traffic

In following scenarios, Azure SignalR Service can generate network traffic to your resource. The source of traffic is guaranteed to be within IP ranges of Service Tag AzureSignalR.

• Use upstream endpoints in serverless mode.
• Use Key Vault secret reference in URL template settings.
• Use custom certificate.

Upstream endpoints in virtual network

You can configure Network Security Group to allow inbound traffic to virtual network:

1. On portal, go to the network security group.

2. Select Inbound security rules.

3. Select the Add button.

4. Select Source and choose Service Tag from the list.

5. Select Source service tag and choose AzureSignalR from the list.

6. Enter * in Source port ranges.

   

7. Change other settings as needed.

8. Select Add.

Note

Azure SignalR Service is a shared service. By allowing Service Tag AzureSignalR or its associated IP address prefixes, you also allow traffic from other resources, even if they belong to other customers. Make sure you implement appropriate authentication on your endpoints.

Upstream endpoints of Azure Function

You can configure a service tag-based rule.

Alternatively, you can use Shared Private Endpoints for better security. Shared Private Endpoints are dedicated to your resources. No traffic from other resources can access your endpoints.

Key vault access

We recommend Shared Private Endpoints for best security.

Next steps

• Network security groups: service tags