Use service tags for Azure Web PubSub Service

You can use Service Tags to identify Azure Web PubSub Service traffic. A service tag represents a group of IP address prefixes. Azure Web PubSub Service manages a service tag called AzureWebPubSub for both inbound and outbound traffic.

A service tag can be used when for configuring Network Security Group. Alternatively, you can query the IP address prefixes using Service Tag Discovery API.

Outbound traffic

Endpoints of Azure Web PubSub Service resources are guaranteed to be within IP ranges of Service Tag AzureWebPubSub.

Access Azure Web PubSub Service from virtual network

You can allow outbound traffic from your network to Azure Web PubSub Service by adding a new outbound network security rule.

Azure portal

1. On portal, go to the network security group.

2. Select on the settings menu called Outbound security rules.

3. Select the Add button.

4. Select Destination and choose Service Tag.

5. Select Destination service tag and choose AzureWebPubSub.

6. Enter 443 in Destination port ranges.

   

7. Adjust other fields as needed.

8. Select Add.

Azure CLI

az network nsg rule create -n <rule-name> --nsg-name <nsg-name> -g <resource-group> --priority 100 --direction Outbound --destination-address-prefixes AzureWebPubSub

Inbound traffic

In following scenarios, Azure Web PubSub Service can generate network traffic to your resource. The source of traffic is guaranteed to be within IP ranges of Service Tag AzureWebPubSub.

• Use event handlers.
• Use event listeners
• Use Key Vault secret reference in URL template settings.
• Use custom certificate.

Event handler endpoints in virtual network

You can configure Network Security Group to allow inbound traffic to virtual network.

Azure portal

1. On portal, go to the network security group.

2. Select Inbound security rules.

3. Select the Add button.

4. Select Source and choose Service Tag from the list.

5. Select Source service tag and choose AzureWebPubSub from the list.

6. Enter * in Source port ranges.

   

7. Change other settings as needed.

8. Select Add.

Azure CLI

az network nsg rule create -n <rule-name> --nsg-name <nsg-name> -g <resource-group> --priority 100 --direction Inbound --source-address-prefixes AzureWebPubSub

Note

Azure Web PubSub Service is a shared service. By allowing Service Tag AzureWebPubSub or its associated IP address prefixes, you also allow traffic from other resources, even if they belong to other customers. Make sure you implement appropriate authentication on your endpoints.

Event handler endpoints of Azure Function

You can configure a service tag-based rule.

Alternatively, you can use Shared Private Endpoints for better security. Shared Private Endpoints are dedicated to your resources. No traffic from other resources can access your endpoints.

Event Hubs and Key Vault access

We recommend Shared Private Endpoints for best security.

Next steps

• Network security groups: service tags