Microsoft.SignalRService webPubSub

Bicep resource definition

The webPubSub resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SignalRService/webPubSub resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SignalRService/webPubSub@2024-10-01-preview' = {
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  kind: 'string'
  location: 'string'
  name: 'string'
  properties: {
    applicationFirewall: {
      clientConnectionCountRules: [
        {
          type: 'string'
          // For remaining properties, see ClientConnectionCountRule objects
        }
      ]
      clientTrafficControlRules: [
        {
          type: 'string'
          // For remaining properties, see ClientTrafficControlRule objects
        }
      ]
    }
    disableAadAuth: bool
    disableLocalAuth: bool
    liveTraceConfiguration: {
      categories: [
        {
          enabled: 'string'
          name: 'string'
        }
      ]
      enabled: 'string'
    }
    networkACLs: {
      defaultAction: 'string'
      ipRules: [
        {
          action: 'string'
          value: 'string'
        }
      ]
      privateEndpoints: [
        {
          allow: [
            'string'
          ]
          deny: [
            'string'
          ]
          name: 'string'
        }
      ]
      publicNetwork: {
        allow: [
          'string'
        ]
        deny: [
          'string'
        ]
      }
    }
    publicNetworkAccess: 'string'
    regionEndpointEnabled: 'string'
    resourceLogConfiguration: {
      categories: [
        {
          enabled: 'string'
          name: 'string'
        }
      ]
    }
    resourceStopped: 'string'
    socketIO: {
      serviceMode: 'string'
    }
    tls: {
      clientCertEnabled: bool
    }
  }
  sku: {
    capacity: int
    name: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

ClientTrafficControlRule objects

Set the type property to specify the type of object.

For TrafficThrottleByJwtCustomClaimRule, use:

{
  aggregationWindowInSeconds: int
  claimName: 'string'
  maxInboundMessageBytes: int
  type: 'TrafficThrottleByJwtCustomClaimRule'
}

For TrafficThrottleByJwtSignatureRule, use:

{
  aggregationWindowInSeconds: int
  maxInboundMessageBytes: int
  type: 'TrafficThrottleByJwtSignatureRule'
}

For TrafficThrottleByUserIdRule, use:

{
  aggregationWindowInSeconds: int
  maxInboundMessageBytes: int
  type: 'TrafficThrottleByUserIdRule'
}

ClientConnectionCountRule objects

Set the type property to specify the type of object.

For ThrottleByJwtCustomClaimRule, use:

{
  claimName: 'string'
  maxCount: int
  type: 'ThrottleByJwtCustomClaimRule'
}

For ThrottleByJwtSignatureRule, use:

{
  maxCount: int
  type: 'ThrottleByJwtSignatureRule'
}

For ThrottleByUserIdRule, use:

{
  maxCount: int
  type: 'ThrottleByUserIdRule'
}

Property values

ApplicationFirewallSettings

Name Description Value
clientConnectionCountRules Rules to control the client connection count ClientConnectionCountRule[]
clientTrafficControlRules Rules to control the client traffic ClientTrafficControlRule[]

ClientConnectionCountRule

Name Description Value
type Set to 'ThrottleByJwtCustomClaimRule' for type ThrottleByJwtCustomClaimRule. Set to 'ThrottleByJwtSignatureRule' for type ThrottleByJwtSignatureRule. Set to 'ThrottleByUserIdRule' for type ThrottleByUserIdRule. 'ThrottleByJwtCustomClaimRule'
'ThrottleByJwtSignatureRule'
'ThrottleByUserIdRule' (required)

ClientTrafficControlRule

Name Description Value
type Set to 'TrafficThrottleByJwtCustomClaimRule' for type TrafficThrottleByJwtCustomClaimRule. Set to 'TrafficThrottleByJwtSignatureRule' for type TrafficThrottleByJwtSignatureRule. Set to 'TrafficThrottleByUserIdRule' for type TrafficThrottleByUserIdRule. 'TrafficThrottleByJwtCustomClaimRule'
'TrafficThrottleByJwtSignatureRule'
'TrafficThrottleByUserIdRule' (required)

IPRule

Name Description Value
action Azure Networking ACL Action. 'Allow'
'Deny'
value An IP or CIDR or ServiceTag string

LiveTraceCategory

Name Description Value
enabled Indicates whether or the live trace category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the live trace category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

LiveTraceConfiguration

Name Description Value
categories Gets or sets the list of category configurations. LiveTraceCategory[]
enabled Indicates whether or not enable live trace.
When it's set to true, live trace client can connect to the service.
Otherwise, live trace client can't connect to the service, so that you are unable to receive any log, no matter what you configure in "categories".
Available values: true, false.
Case insensitive.
string

ManagedIdentity

Name Description Value
type Represents the identity type: systemAssigned, userAssigned, None 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities Get or set the user assigned identities ManagedIdentityUserAssignedIdentities

ManagedIdentityUserAssignedIdentities

Name Description Value

Microsoft.SignalRService/webPubSub

Name Description Value
identity A class represent managed identities used for request and response ManagedIdentity
kind The kind of the service 'SocketIO'
'WebPubSub'
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 3
Max length = 3
Pattern = ^[a-zA-Z][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]$ (required)
properties A class that describes the properties of the resource WebPubSubProperties
sku The billing information of the resource. ResourceSku
tags Resource tags Dictionary of tag names and values. See Tags in templates

NetworkACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'

PrivateEndpointACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
name Name of the private endpoint connection string (required)

ResourceLogCategory

Name Description Value
enabled Indicates whether or the resource log category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the resource log category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

ResourceLogConfiguration

Name Description Value
categories Gets or sets the list of category configurations. ResourceLogCategory[]

ResourceSku

Name Description Value
capacity Optional, integer. The unit count of the resource.
1 for Free_F1/Standard_S1/Premium_P1, 100 for Premium_P2 by default.

If present, following values are allowed:
Free_F1: 1;
Standard_S1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P2: 100,200,300,400,500,600,700,800,900,1000;
int
name The name of the SKU. Required.

Allowed values: Standard_S1, Free_F1, Premium_P1, Premium_P2
string (required)
tier Optional tier of this particular SKU. 'Standard' or 'Free'.

Basic is deprecated, use Standard instead.
'Basic'
'Free'
'Premium'
'Standard'

ThrottleByJwtCustomClaimRule

Name Description Value
claimName The name of the claim in the JWT token. The client connection with the same claim value will be aggregated. If the claim is not found in the token, the connection will be allowed. string (required)
maxCount Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtCustomClaimRule' (required)

ThrottleByJwtSignatureRule

Name Description Value
maxCount Maximum connection count allowed for the same JWT signature. Clients with the same JWT signature will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtSignatureRule' (required)

ThrottleByUserIdRule

Name Description Value
maxCount Maximum connection count allowed for the same user ID. Clients with the same user ID will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByUserIdRule' (required)

TrackedResourceTags

Name Description Value

TrafficThrottleByJwtCustomClaimRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
claimName The name of the claim in the JWT token. The message bytes with the same claim value will be aggregated. If the claim is not found in the token, the rule will be skipped. string (required)
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT claim will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtCustomClaimRule' (required)

TrafficThrottleByJwtSignatureRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT signature will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtSignatureRule' (required)

TrafficThrottleByUserIdRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same user ID within a time window. Clients with the same user ID will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByUserIdRule' (required)

UserAssignedIdentityProperty

Name Description Value

WebPubSubNetworkACLs

Name Description Value
defaultAction Azure Networking ACL Action. 'Allow'
'Deny'
ipRules IP rules for filtering public traffic IPRule[]
privateEndpoints ACLs for requests from private endpoints PrivateEndpointACL[]
publicNetwork Network ACL NetworkACL

WebPubSubProperties

Name Description Value
applicationFirewall Application firewall settings for the resource ApplicationFirewallSettings
disableAadAuth DisableLocalAuth
Enable or disable aad auth
When set as true, connection with AuthType=aad won't work.
bool
disableLocalAuth DisableLocalAuth
Enable or disable local auth with AccessKey
When set as true, connection with AccessKey=xxx won't work.
bool
liveTraceConfiguration Live trace configuration of a Microsoft.SignalRService resource. LiveTraceConfiguration
networkACLs Network ACLs for the resource WebPubSubNetworkACLs
publicNetworkAccess Enable or disable public network access. Default to "Enabled".
When it's Enabled, network ACLs still apply.
When it's Disabled, public network access is always disabled no matter what you set in network ACLs.
string
regionEndpointEnabled Enable or disable the regional endpoint. Default to "Enabled".
When it's Disabled, new connections will not be routed to this endpoint, however existing connections will not be affected.
This property is replica specific. Disable the regional endpoint without replica is not allowed.
string
resourceLogConfiguration Resource log configuration of a Microsoft.SignalRService resource. ResourceLogConfiguration
resourceStopped Stop or start the resource. Default to "False".
When it's true, the data plane of the resource is shutdown.
When it's false, the data plane of the resource is started.
string
socketIO SocketIO settings for the resource WebPubSubSocketIOSettings
tls TLS settings for the resource WebPubSubTlsSettings

WebPubSubSocketIOSettings

Name Description Value
serviceMode The service mode of Web PubSub for Socket.IO. Values allowed:
"Default": have your own backend Socket.IO server
"Serverless": your application doesn't have a backend server
string

WebPubSubTlsSettings

Name Description Value
clientCertEnabled Request client certificate during TLS handshake if enabled. Not supported for free tier. Any input will be ignored for free tier. bool

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create Azure Web PubSub by using Bicep Azure Web PubSub Service helps you build real-time messaging web applications using WebSockets and the publish-subscribe pattern. This uses Bicep language to create and configure a Web PubSub resource. You can use this template to conveniently deploy Web PubSub for a tutorial or testing, or as a building block for more complex deployments with Web PubSub.

ARM template resource definition

The webPubSub resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SignalRService/webPubSub resource, add the following JSON to your template.

{
  "type": "Microsoft.SignalRService/webPubSub",
  "apiVersion": "2024-10-01-preview",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "kind": "string",
  "location": "string",
  "properties": {
    "applicationFirewall": {
      "clientConnectionCountRules": [ {
        "type": "string"
        // For remaining properties, see ClientConnectionCountRule objects
      } ],
      "clientTrafficControlRules": [ {
        "type": "string"
        // For remaining properties, see ClientTrafficControlRule objects
      } ]
    },
    "disableAadAuth": "bool",
    "disableLocalAuth": "bool",
    "liveTraceConfiguration": {
      "categories": [
        {
          "enabled": "string",
          "name": "string"
        }
      ],
      "enabled": "string"
    },
    "networkACLs": {
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "string",
          "value": "string"
        }
      ],
      "privateEndpoints": [
        {
          "allow": [ "string" ],
          "deny": [ "string" ],
          "name": "string"
        }
      ],
      "publicNetwork": {
        "allow": [ "string" ],
        "deny": [ "string" ]
      }
    },
    "publicNetworkAccess": "string",
    "regionEndpointEnabled": "string",
    "resourceLogConfiguration": {
      "categories": [
        {
          "enabled": "string",
          "name": "string"
        }
      ]
    },
    "resourceStopped": "string",
    "socketIO": {
      "serviceMode": "string"
    },
    "tls": {
      "clientCertEnabled": "bool"
    }
  },
  "sku": {
    "capacity": "int",
    "name": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

ClientTrafficControlRule objects

Set the type property to specify the type of object.

For TrafficThrottleByJwtCustomClaimRule, use:

{
  "aggregationWindowInSeconds": "int",
  "claimName": "string",
  "maxInboundMessageBytes": "int",
  "type": "TrafficThrottleByJwtCustomClaimRule"
}

For TrafficThrottleByJwtSignatureRule, use:

{
  "aggregationWindowInSeconds": "int",
  "maxInboundMessageBytes": "int",
  "type": "TrafficThrottleByJwtSignatureRule"
}

For TrafficThrottleByUserIdRule, use:

{
  "aggregationWindowInSeconds": "int",
  "maxInboundMessageBytes": "int",
  "type": "TrafficThrottleByUserIdRule"
}

ClientConnectionCountRule objects

Set the type property to specify the type of object.

For ThrottleByJwtCustomClaimRule, use:

{
  "claimName": "string",
  "maxCount": "int",
  "type": "ThrottleByJwtCustomClaimRule"
}

For ThrottleByJwtSignatureRule, use:

{
  "maxCount": "int",
  "type": "ThrottleByJwtSignatureRule"
}

For ThrottleByUserIdRule, use:

{
  "maxCount": "int",
  "type": "ThrottleByUserIdRule"
}

Property values

ApplicationFirewallSettings

Name Description Value
clientConnectionCountRules Rules to control the client connection count ClientConnectionCountRule[]
clientTrafficControlRules Rules to control the client traffic ClientTrafficControlRule[]

ClientConnectionCountRule

Name Description Value
type Set to 'ThrottleByJwtCustomClaimRule' for type ThrottleByJwtCustomClaimRule. Set to 'ThrottleByJwtSignatureRule' for type ThrottleByJwtSignatureRule. Set to 'ThrottleByUserIdRule' for type ThrottleByUserIdRule. 'ThrottleByJwtCustomClaimRule'
'ThrottleByJwtSignatureRule'
'ThrottleByUserIdRule' (required)

ClientTrafficControlRule

Name Description Value
type Set to 'TrafficThrottleByJwtCustomClaimRule' for type TrafficThrottleByJwtCustomClaimRule. Set to 'TrafficThrottleByJwtSignatureRule' for type TrafficThrottleByJwtSignatureRule. Set to 'TrafficThrottleByUserIdRule' for type TrafficThrottleByUserIdRule. 'TrafficThrottleByJwtCustomClaimRule'
'TrafficThrottleByJwtSignatureRule'
'TrafficThrottleByUserIdRule' (required)

IPRule

Name Description Value
action Azure Networking ACL Action. 'Allow'
'Deny'
value An IP or CIDR or ServiceTag string

LiveTraceCategory

Name Description Value
enabled Indicates whether or the live trace category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the live trace category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

LiveTraceConfiguration

Name Description Value
categories Gets or sets the list of category configurations. LiveTraceCategory[]
enabled Indicates whether or not enable live trace.
When it's set to true, live trace client can connect to the service.
Otherwise, live trace client can't connect to the service, so that you are unable to receive any log, no matter what you configure in "categories".
Available values: true, false.
Case insensitive.
string

ManagedIdentity

Name Description Value
type Represents the identity type: systemAssigned, userAssigned, None 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities Get or set the user assigned identities ManagedIdentityUserAssignedIdentities

ManagedIdentityUserAssignedIdentities

Name Description Value

Microsoft.SignalRService/webPubSub

Name Description Value
apiVersion The api version '2024-10-01-preview'
identity A class represent managed identities used for request and response ManagedIdentity
kind The kind of the service 'SocketIO'
'WebPubSub'
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 3
Max length = 3
Pattern = ^[a-zA-Z][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]$ (required)
properties A class that describes the properties of the resource WebPubSubProperties
sku The billing information of the resource. ResourceSku
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.SignalRService/webPubSub'

NetworkACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'

PrivateEndpointACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
name Name of the private endpoint connection string (required)

ResourceLogCategory

Name Description Value
enabled Indicates whether or the resource log category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the resource log category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

ResourceLogConfiguration

Name Description Value
categories Gets or sets the list of category configurations. ResourceLogCategory[]

ResourceSku

Name Description Value
capacity Optional, integer. The unit count of the resource.
1 for Free_F1/Standard_S1/Premium_P1, 100 for Premium_P2 by default.

If present, following values are allowed:
Free_F1: 1;
Standard_S1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P2: 100,200,300,400,500,600,700,800,900,1000;
int
name The name of the SKU. Required.

Allowed values: Standard_S1, Free_F1, Premium_P1, Premium_P2
string (required)
tier Optional tier of this particular SKU. 'Standard' or 'Free'.

Basic is deprecated, use Standard instead.
'Basic'
'Free'
'Premium'
'Standard'

ThrottleByJwtCustomClaimRule

Name Description Value
claimName The name of the claim in the JWT token. The client connection with the same claim value will be aggregated. If the claim is not found in the token, the connection will be allowed. string (required)
maxCount Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtCustomClaimRule' (required)

ThrottleByJwtSignatureRule

Name Description Value
maxCount Maximum connection count allowed for the same JWT signature. Clients with the same JWT signature will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtSignatureRule' (required)

ThrottleByUserIdRule

Name Description Value
maxCount Maximum connection count allowed for the same user ID. Clients with the same user ID will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByUserIdRule' (required)

TrackedResourceTags

Name Description Value

TrafficThrottleByJwtCustomClaimRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
claimName The name of the claim in the JWT token. The message bytes with the same claim value will be aggregated. If the claim is not found in the token, the rule will be skipped. string (required)
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT claim will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtCustomClaimRule' (required)

TrafficThrottleByJwtSignatureRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT signature will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtSignatureRule' (required)

TrafficThrottleByUserIdRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same user ID within a time window. Clients with the same user ID will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByUserIdRule' (required)

UserAssignedIdentityProperty

Name Description Value

WebPubSubNetworkACLs

Name Description Value
defaultAction Azure Networking ACL Action. 'Allow'
'Deny'
ipRules IP rules for filtering public traffic IPRule[]
privateEndpoints ACLs for requests from private endpoints PrivateEndpointACL[]
publicNetwork Network ACL NetworkACL

WebPubSubProperties

Name Description Value
applicationFirewall Application firewall settings for the resource ApplicationFirewallSettings
disableAadAuth DisableLocalAuth
Enable or disable aad auth
When set as true, connection with AuthType=aad won't work.
bool
disableLocalAuth DisableLocalAuth
Enable or disable local auth with AccessKey
When set as true, connection with AccessKey=xxx won't work.
bool
liveTraceConfiguration Live trace configuration of a Microsoft.SignalRService resource. LiveTraceConfiguration
networkACLs Network ACLs for the resource WebPubSubNetworkACLs
publicNetworkAccess Enable or disable public network access. Default to "Enabled".
When it's Enabled, network ACLs still apply.
When it's Disabled, public network access is always disabled no matter what you set in network ACLs.
string
regionEndpointEnabled Enable or disable the regional endpoint. Default to "Enabled".
When it's Disabled, new connections will not be routed to this endpoint, however existing connections will not be affected.
This property is replica specific. Disable the regional endpoint without replica is not allowed.
string
resourceLogConfiguration Resource log configuration of a Microsoft.SignalRService resource. ResourceLogConfiguration
resourceStopped Stop or start the resource. Default to "False".
When it's true, the data plane of the resource is shutdown.
When it's false, the data plane of the resource is started.
string
socketIO SocketIO settings for the resource WebPubSubSocketIOSettings
tls TLS settings for the resource WebPubSubTlsSettings

WebPubSubSocketIOSettings

Name Description Value
serviceMode The service mode of Web PubSub for Socket.IO. Values allowed:
"Default": have your own backend Socket.IO server
"Serverless": your application doesn't have a backend server
string

WebPubSubTlsSettings

Name Description Value
clientCertEnabled Request client certificate during TLS handshake if enabled. Not supported for free tier. Any input will be ignored for free tier. bool

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create Azure Web PubSub by using Bicep

Deploy to Azure
Azure Web PubSub Service helps you build real-time messaging web applications using WebSockets and the publish-subscribe pattern. This uses Bicep language to create and configure a Web PubSub resource. You can use this template to conveniently deploy Web PubSub for a tutorial or testing, or as a building block for more complex deployments with Web PubSub.

Terraform (AzAPI provider) resource definition

The webPubSub resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SignalRService/webPubSub resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.SignalRService/webPubSub@2024-10-01-preview"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  kind = "string"
  location = "string"
  sku = {
    capacity = int
    name = "string"
    tier = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      applicationFirewall = {
        clientConnectionCountRules = [
          {
            type = "string"
            // For remaining properties, see ClientConnectionCountRule objects
          }
        ]
        clientTrafficControlRules = [
          {
            type = "string"
            // For remaining properties, see ClientTrafficControlRule objects
          }
        ]
      }
      disableAadAuth = bool
      disableLocalAuth = bool
      liveTraceConfiguration = {
        categories = [
          {
            enabled = "string"
            name = "string"
          }
        ]
        enabled = "string"
      }
      networkACLs = {
        defaultAction = "string"
        ipRules = [
          {
            action = "string"
            value = "string"
          }
        ]
        privateEndpoints = [
          {
            allow = [
              "string"
            ]
            deny = [
              "string"
            ]
            name = "string"
          }
        ]
        publicNetwork = {
          allow = [
            "string"
          ]
          deny = [
            "string"
          ]
        }
      }
      publicNetworkAccess = "string"
      regionEndpointEnabled = "string"
      resourceLogConfiguration = {
        categories = [
          {
            enabled = "string"
            name = "string"
          }
        ]
      }
      resourceStopped = "string"
      socketIO = {
        serviceMode = "string"
      }
      tls = {
        clientCertEnabled = bool
      }
    }
  })
}

ClientTrafficControlRule objects

Set the type property to specify the type of object.

For TrafficThrottleByJwtCustomClaimRule, use:

{
  aggregationWindowInSeconds = int
  claimName = "string"
  maxInboundMessageBytes = int
  type = "TrafficThrottleByJwtCustomClaimRule"
}

For TrafficThrottleByJwtSignatureRule, use:

{
  aggregationWindowInSeconds = int
  maxInboundMessageBytes = int
  type = "TrafficThrottleByJwtSignatureRule"
}

For TrafficThrottleByUserIdRule, use:

{
  aggregationWindowInSeconds = int
  maxInboundMessageBytes = int
  type = "TrafficThrottleByUserIdRule"
}

ClientConnectionCountRule objects

Set the type property to specify the type of object.

For ThrottleByJwtCustomClaimRule, use:

{
  claimName = "string"
  maxCount = int
  type = "ThrottleByJwtCustomClaimRule"
}

For ThrottleByJwtSignatureRule, use:

{
  maxCount = int
  type = "ThrottleByJwtSignatureRule"
}

For ThrottleByUserIdRule, use:

{
  maxCount = int
  type = "ThrottleByUserIdRule"
}

Property values

ApplicationFirewallSettings

Name Description Value
clientConnectionCountRules Rules to control the client connection count ClientConnectionCountRule[]
clientTrafficControlRules Rules to control the client traffic ClientTrafficControlRule[]

ClientConnectionCountRule

Name Description Value
type Set to 'ThrottleByJwtCustomClaimRule' for type ThrottleByJwtCustomClaimRule. Set to 'ThrottleByJwtSignatureRule' for type ThrottleByJwtSignatureRule. Set to 'ThrottleByUserIdRule' for type ThrottleByUserIdRule. 'ThrottleByJwtCustomClaimRule'
'ThrottleByJwtSignatureRule'
'ThrottleByUserIdRule' (required)

ClientTrafficControlRule

Name Description Value
type Set to 'TrafficThrottleByJwtCustomClaimRule' for type TrafficThrottleByJwtCustomClaimRule. Set to 'TrafficThrottleByJwtSignatureRule' for type TrafficThrottleByJwtSignatureRule. Set to 'TrafficThrottleByUserIdRule' for type TrafficThrottleByUserIdRule. 'TrafficThrottleByJwtCustomClaimRule'
'TrafficThrottleByJwtSignatureRule'
'TrafficThrottleByUserIdRule' (required)

IPRule

Name Description Value
action Azure Networking ACL Action. 'Allow'
'Deny'
value An IP or CIDR or ServiceTag string

LiveTraceCategory

Name Description Value
enabled Indicates whether or the live trace category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the live trace category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

LiveTraceConfiguration

Name Description Value
categories Gets or sets the list of category configurations. LiveTraceCategory[]
enabled Indicates whether or not enable live trace.
When it's set to true, live trace client can connect to the service.
Otherwise, live trace client can't connect to the service, so that you are unable to receive any log, no matter what you configure in "categories".
Available values: true, false.
Case insensitive.
string

ManagedIdentity

Name Description Value
type Represents the identity type: systemAssigned, userAssigned, None 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities Get or set the user assigned identities ManagedIdentityUserAssignedIdentities

ManagedIdentityUserAssignedIdentities

Name Description Value

Microsoft.SignalRService/webPubSub

Name Description Value
identity A class represent managed identities used for request and response ManagedIdentity
kind The kind of the service 'SocketIO'
'WebPubSub'
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 3
Max length = 3
Pattern = ^[a-zA-Z][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]$ (required)
properties A class that describes the properties of the resource WebPubSubProperties
sku The billing information of the resource. ResourceSku
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.SignalRService/webPubSub@2024-10-01-preview"

NetworkACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'

PrivateEndpointACL

Name Description Value
allow Allowed request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
deny Denied request types. The value can be one or more of: ClientConnection, ServerConnection, RESTAPI. String array containing any of:
'ClientConnection'
'RESTAPI'
'ServerConnection'
'Trace'
name Name of the private endpoint connection string (required)

ResourceLogCategory

Name Description Value
enabled Indicates whether or the resource log category is enabled.
Available values: true, false.
Case insensitive.
string
name Gets or sets the resource log category's name.
Available values: ConnectivityLogs, MessagingLogs.
Case insensitive.
string

ResourceLogConfiguration

Name Description Value
categories Gets or sets the list of category configurations. ResourceLogCategory[]

ResourceSku

Name Description Value
capacity Optional, integer. The unit count of the resource.
1 for Free_F1/Standard_S1/Premium_P1, 100 for Premium_P2 by default.

If present, following values are allowed:
Free_F1: 1;
Standard_S1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P1: 1,2,3,4,5,6,7,8,9,10,20,30,40,50,60,70,80,90,100;
Premium_P2: 100,200,300,400,500,600,700,800,900,1000;
int
name The name of the SKU. Required.

Allowed values: Standard_S1, Free_F1, Premium_P1, Premium_P2
string (required)
tier Optional tier of this particular SKU. 'Standard' or 'Free'.

Basic is deprecated, use Standard instead.
'Basic'
'Free'
'Premium'
'Standard'

ThrottleByJwtCustomClaimRule

Name Description Value
claimName The name of the claim in the JWT token. The client connection with the same claim value will be aggregated. If the claim is not found in the token, the connection will be allowed. string (required)
maxCount Maximum connection count allowed for the same Jwt claim value. Clients with the same Jwt claim will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtCustomClaimRule' (required)

ThrottleByJwtSignatureRule

Name Description Value
maxCount Maximum connection count allowed for the same JWT signature. Clients with the same JWT signature will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByJwtSignatureRule' (required)

ThrottleByUserIdRule

Name Description Value
maxCount Maximum connection count allowed for the same user ID. Clients with the same user ID will get rejected if the connection count exceeds this value. Default value is 20. int

Constraints:
Min value = 0
Max value = 2147483647
type 'ThrottleByUserIdRule' (required)

TrackedResourceTags

Name Description Value

TrafficThrottleByJwtCustomClaimRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
claimName The name of the claim in the JWT token. The message bytes with the same claim value will be aggregated. If the claim is not found in the token, the rule will be skipped. string (required)
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT claim will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtCustomClaimRule' (required)

TrafficThrottleByJwtSignatureRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same JWT signature within a time window. Clients with the same JWT signature will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByJwtSignatureRule' (required)

TrafficThrottleByUserIdRule

Name Description Value
aggregationWindowInSeconds The aggregation window for the message bytes. The message bytes will be aggregated in this window and be reset after the window. Default value is 60 seconds. int

Constraints:
Min value = 10
Max value = 3600
maxInboundMessageBytes Maximum accumulated inbound message bytes allowed for the same user ID within a time window. Clients with the same user ID will get disconnected if the message bytes exceeds this value. Default value is 1GB. int

Constraints:
Min value = 0
type 'TrafficThrottleByUserIdRule' (required)

UserAssignedIdentityProperty

Name Description Value

WebPubSubNetworkACLs

Name Description Value
defaultAction Azure Networking ACL Action. 'Allow'
'Deny'
ipRules IP rules for filtering public traffic IPRule[]
privateEndpoints ACLs for requests from private endpoints PrivateEndpointACL[]
publicNetwork Network ACL NetworkACL

WebPubSubProperties

Name Description Value
applicationFirewall Application firewall settings for the resource ApplicationFirewallSettings
disableAadAuth DisableLocalAuth
Enable or disable aad auth
When set as true, connection with AuthType=aad won't work.
bool
disableLocalAuth DisableLocalAuth
Enable or disable local auth with AccessKey
When set as true, connection with AccessKey=xxx won't work.
bool
liveTraceConfiguration Live trace configuration of a Microsoft.SignalRService resource. LiveTraceConfiguration
networkACLs Network ACLs for the resource WebPubSubNetworkACLs
publicNetworkAccess Enable or disable public network access. Default to "Enabled".
When it's Enabled, network ACLs still apply.
When it's Disabled, public network access is always disabled no matter what you set in network ACLs.
string
regionEndpointEnabled Enable or disable the regional endpoint. Default to "Enabled".
When it's Disabled, new connections will not be routed to this endpoint, however existing connections will not be affected.
This property is replica specific. Disable the regional endpoint without replica is not allowed.
string
resourceLogConfiguration Resource log configuration of a Microsoft.SignalRService resource. ResourceLogConfiguration
resourceStopped Stop or start the resource. Default to "False".
When it's true, the data plane of the resource is shutdown.
When it's false, the data plane of the resource is started.
string
socketIO SocketIO settings for the resource WebPubSubSocketIOSettings
tls TLS settings for the resource WebPubSubTlsSettings

WebPubSubSocketIOSettings

Name Description Value
serviceMode The service mode of Web PubSub for Socket.IO. Values allowed:
"Default": have your own backend Socket.IO server
"Serverless": your application doesn't have a backend server
string

WebPubSubTlsSettings

Name Description Value
clientCertEnabled Request client certificate during TLS handshake if enabled. Not supported for free tier. Any input will be ignored for free tier. bool