Secure Azure Web PubSub outbound traffic through Shared Private Endpoints
If you're using an event handler in Azure Web PubSub Service, you might have outbound traffic to an upstream. Upstream such as Azure Web App and Azure Functions, can be configured to accept connections from a list of virtual networks and refuse outside connections that originate from a public network. You can create an outbound private endpoint connection to reach these endpoints.
This outbound method is subject to the following requirements:
The upstream must be Azure Web App or Azure Function.
The Azure Web PubSub Service service must be on the Standard tier.
The Azure Web App or Azure Function must be on certain SKUs. See Use Private Endpoints for Azure Web App.
Shared Private Link Resources Management
Private endpoints of secured resources that are created through Azure Web PubSub Service APIs are referred to as shared private link resources. This term is used because you're "sharing" access to a resource, such as an Azure Function that has been integrated with the Azure Private Link service. These private endpoints are created inside Azure Web PubSub Service execution environment and aren't directly visible to you.
The examples in this article are based on the following assumptions:
- The resource ID of this Azure Web PubSub Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webPubSub/contoso-webpubsub.
- The resource ID of upstream Azure Function is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.Web/sites/contoso-func.
The rest of the examples show how the contoso-webpubsub service can be configured so that its upstream calls to function go through a private endpoint rather than public network.
Step 1: Create a shared private link resource to the function
In the Azure portal, go to your Azure Web PubSub Service resource.
In the menu pane, select Networking. Switch to Private access tab.
Select Add shared private endpoint.
Fill in a name for the shared private endpoint.
Select the target linked resource either by selecting from your owned resources or by filling a resource ID.
The shared private endpoint resource will be in Succeeded provisioning state. The connection state is Pending approval at target resource side.
Step 2a: Approve the private endpoint connection for the function
After you approved the private endpoint connection, the Function is no longer accessible from public network. You may need to create other private endpoints in your own virtual network to access the Function endpoint.
In the Azure portal, select the Networking tab of your Function App and navigate to Private endpoint connections. Select Configure your private endpoint connections. After the asynchronous operation has succeeded, there should be a request for a private endpoint connection with the request message from the previous API call.
Select the private endpoint that Azure Web PubSub Service created. In the Private endpoint column, identify the private endpoint connection by the name that's specified in the previous API, select Approve.
Make sure that the private endpoint connection appears as shown in the following screenshot. It could take one to two minutes for the status to be updated in the portal.
Step 2b: Query the status of the shared private link resource
It takes minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI.
At this point, the private endpoint between Azure SignalR Service and Azure Function is established.
Step 3: Verify upstream calls are from a private IP
Once the private endpoint is set up, you can verify incoming calls are from a private IP by checking the
X-Forwarded-For header at upstream side.
Learn more about private endpoints: