Application Firewall (Preview) for Azure Web PubSub Service
The Application Firewall provides sophisticated control over client connections in a distributed system. Before diving into its functionality and setup, let's clarify what the Application Firewall does not do:
- It does not replace authentication. The firewall operates behind the client connection authentication layer.
- It is not related to network layer access control.
What Does the Application Firewall Do?
The Application Firewall consists of various rule lists. Currently, there is a rule list called Client Connection Count Rules. Future updates will support more rule lists to control aspects like connection lifetime and message throughput.
This guideline is divided into three parts:
- Introduction to different application firewall rules.
- Instructions on configuring the rules using the Portal or Bicep on the Web PubSub service side.
- Steps to configure the token on the server side.
Prerequisites
- A Web PubSub resource in premium tier.
Client Connection Count Rules
Client Connection Count Rules restrict concurrent client connections. When a client attempts to establish a new connection, the rules are checked sequentially. If any rule is violated, the connection is rejected with a status code 429.
ThrottleByUserIdRule
This rule limits the concurrent connections of a user. For example, if a user opens multiple browser tabs or logs in using different devices, you can use this rule to restrict the number of concurrent connections for that user.
Note
- The UserId must exist in the access token for this rule to work. Refer to Configure access token.
ThrottleByJwtSignatureRule
This rule limits the concurrent connections of the same token to prevent malicious users from reusing tokens to establish infinite connections, which can exhaust connection quota.
Note
- It's not guaranteed by default that tokens generated by the SDK are different each time. Though each token contains a timestamp, this timestamp might be the same if vast tokens are generated within seconds. To avoid identical tokens, insert a random claim into the token claims. Refer to Configure access token.
Warning
- Avoid using too aggressive maxCount. Client connections may close without completing the TCP handshake. SignalR service can't detect those "half-closed" connections immediately. The connection is taken as active until the heartbeat failure. Therefore, aggressive throttling strategies might unexpectedly throttle clients. A smoother approach is to leave some buffer for the connection count, for example: double the maxCount.
Set up Application Firewall
To use Application Firewall, navigate to the Web PubSub Application Firewall blade on the Azure portal and click Add to add a rule.
Configure access token
The application firewall rules only take effect when the access token contains the corresponding claim. A rule is skipped if the connection does not have the corresponding claim. *userId" and roles are currently supported claims in the SDK.
Below is an example to add userId and insert a unique placeholder in the access token:
// The GUID role wont have any effect. But it esures this token's uniqueness when using rule ThrottleByJwtSignatureRule.
var url = service.GetClientAccessUri((userId: "user1" , roles: new string[] { "webpubsub.joinLeaveGroup.group1", Guid.NewGuid().ToString()});
For more details, refer to Client negotiation .