Secure Azure Web PubSub outbound traffic through Shared Private Endpoints

If you're using an event handler in Azure Web PubSub Service, you might have outbound traffic to an upstream. Upstream such as Azure Web App and Azure Functions, can be configured to accept connections from a list of virtual networks and refuse outside connections that originate from a public network. You can create an outbound private endpoint connection to reach these endpoints.

Diagram showing architecture of shared private endpoint.

This outbound method is subject to the following requirements:

  • The upstream must be Azure Web App or Azure Function.

  • The Azure Web PubSub Service service must be on the Standard tier.

  • The Azure Web App or Azure Function must be on certain SKUs. See Use Private Endpoints for Azure Web App.

Private endpoints of secured resources that are created through Azure Web PubSub Service APIs are referred to as shared private link resources. This term is used because you're "sharing" access to a resource, such as an Azure Function that has been integrated with the Azure Private Link service. These private endpoints are created inside Azure Web PubSub Service execution environment and aren't directly visible to you.

Note

The examples in this article are based on the following assumptions:

  • The resource ID of this Azure Web PubSub Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webPubSub/contoso-webpubsub.
  • The resource ID of upstream Azure Function is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.Web/sites/contoso-func.

The rest of the examples show how the contoso-webpubsub service can be configured so that its upstream calls to function go through a private endpoint rather than public network.

  1. In the Azure portal, go to your Azure Web PubSub Service resource.

  2. In the menu pane, select Networking. Switch to Private access tab.

  3. Select Add shared private endpoint.

    Screenshot of shared private endpoints management.

  4. Fill in a name for the shared private endpoint.

  5. Select the target linked resource either by selecting from your owned resources or by filling a resource ID.

  6. Select Add.

    Screenshot of adding a shared private endpoint.

  7. The shared private endpoint resource will be in Succeeded provisioning state. The connection state is Pending approval at target resource side.

    Screenshot of an added shared private endpoint.

Step 2a: Approve the private endpoint connection for the function

Important

After you approved the private endpoint connection, the Function is no longer accessible from public network. You may need to create other private endpoints in your own virtual network to access the Function endpoint.

  1. In the Azure portal, select the Networking tab of your Function App and navigate to Private endpoint connections. Select Configure your private endpoint connections. After the asynchronous operation has succeeded, there should be a request for a private endpoint connection with the request message from the previous API call.

    Screenshot of the Azure portal, showing the Private endpoint connections pane.

  2. Select the private endpoint that Azure Web PubSub Service created. In the Private endpoint column, identify the private endpoint connection by the name that's specified in the previous API, select Approve.

    Make sure that the private endpoint connection appears as shown in the following screenshot. It could take one to two minutes for the status to be updated in the portal.

    Screenshot of the Azure portal, showing an Approved status on the Private endpoint connections pane.

It takes minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI.

Screenshot of an approved shared private endpoint.

At this point, the private endpoint between Azure SignalR Service and Azure Function is established.

Step 3: Verify upstream calls are from a private IP

Once the private endpoint is set up, you can verify incoming calls are from a private IP by checking the X-Forwarded-For header at upstream side.

Screenshot of the Azure portal, showing incoming requests are from a private IP.

Next steps

Learn more about private endpoints: