แก้ไข

แชร์ผ่าน


Configure private endpoints for Azure Event Grid namespaces with MQTT enabled

You can use private endpoints to allow ingress of events directly from your virtual network to entities in your Event Grid namespaces securely over a private link without going through the public internet. The private endpoint uses an IP address from the virtual network address space for your namespace. When an MQTT client on a private network connects to the MQTT broker on a private link, the client can publish and subscribe to MQTT messages. For more conceptual information, see Network security.

This article shows you how to enable private network access for an Event Grid namespace. For complete steps for creating a namespace, see Create and manage namespaces.

Create a private endpoint

  1. Sign-in to the Azure portal.

  2. In the search box, enter Event Grid Namespaces and select Event Grid Namespaces from the results.

    Screenshot showing Event Grid Namespaces in the search results.

  3. Select your Event Grid namespace in the list to open the Event Grid Namespace page for your namespace.

  4. On the Event Grid Namespace page, select Networking on the left menu.

  5. In the Public network access tab, select Private endpoints only if you want the namespace to be accessed only via private endpoints.

    Note

    Disabling public network access on the namespace will cause the MQTT routing to fail.

  6. Select Save on the toolbar.

  7. Then, switch to the Private endpoint connections tab.

    Screenshot that shows the Networking page of an existing namespace with Private endpoints only option selected.

  8. In the Private endpoint connections tab, select + Private endpoint.

    Screenshot that shows the Private endpoint connections tab of the Networking page with Add private endpoint button selected.

  9. On the Basics page, follow these steps:

    1. Select an Azure subscription in which you want to create the private endpoint.

    2. Select an Azure resource group for the private endpoint.

    3. Enter a name for the endpoint.

    4. Update the name for the network interface if needed.

    5. Select the region for the endpoint. Your private endpoint must be in the same region as your virtual network, but can in a different region from the private link resource (in this example, an Event Grid namespace).

    6. Then, select Next: Resource > button at the bottom of the page.

      Screenshot showing the Basics page of the Create a private endpoint wizard.

  10. On the Resource page, follow these steps.

    1. Confirm that the Azure subscription, Resource type, and Resource (that is, your Event Grid namespace) looks correct

    2. Select a Target sub-resource. For example: topicspace. You see topicspace only if you have MQTT enabled on the namespace.

    3. Select Next: Virtual Network > button at the bottom of the page.

      Screenshot showing the Resource page of the Create a private endpoint wizard.

  11. On the Virtual Network page, you select the subnet in a virtual network to where you want to deploy the private endpoint.

    1. Select a virtual network. Only virtual networks in the currently selected subscription and location are listed in the drop-down list.

    2. Select a subnet in the virtual network you selected.

    3. Specify whether you want the IP address to be allocated statically or dynamically.

    4. Select an existing application security group or create one and then associate with the private endpoint.

    5. Select Next: DNS > button at the bottom of the page.

      Screenshot showing the Virtual Network page of the Create a private endpoint wizard.

  12. On the DNS page, select whether you want the private endpoint to be integrated with a private DNS zone, and then select Next: Tags at the bottom of the page.

  13. On the Tags page, create any tags (names and values) that you want to associate with the private endpoint resource. Then, select Review + create button at the bottom of the page.

  14. On the Review + create, review all the settings, and select Create to create the private endpoint.

When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory, you can approve the connection request provided you have sufficient permissions. If you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request.

There are four provisioning states:

Service action Service consumer private endpoint state Description
None Pending Connection is created manually and is pending approval from the private Link resource owner.
Approve Approved Connection was automatically or manually approved and is ready to be used.
Reject Rejected Connection was rejected by the private link resource owner.
Remove Disconnected Connection was removed by the private link resource owner. The private endpoint becomes informative and should be deleted for cleanup.

The following sections show you how to approve or reject a private endpoint connection.

  1. Sign in to the Azure portal.
  2. In the search bar, type in Event Grid Namespaces, and select it to see the list of namespaces.
  3. Select the namespace that you want to manage.
  4. Select the Networking tab.
  5. If there are any connections that are pending, you see a connection listed with Pending in the provisioning state.

Approve a private endpoint

You can approve a private endpoint that's in the pending state. To approve, follow these steps:

  1. Select the private endpoint you wish to approve, and select Approve on the toolbar.
  2. On the Approve connection dialog box, enter a comment (optional), and select Yes.
  3. Confirm that you see the status of the endpoint as Approved.

Reject a private endpoint

You can reject a private endpoint that's in the pending state or approved state. To reject, follow these steps:

  1. Select the private endpoint you wish to reject, and select Reject on the toolbar.

  2. On the Reject connection dialog box, enter a comment (optional), and select Yes.

  3. Confirm that you see the status of the endpoint as Rejected.

    Screenshot showing the Private endpoint connection tab with Reject button selected (MQTT).

    Note

    You can't approve a private endpoint in the Azure portal once it's rejected.

Remove a private endpoint

To delete a private endpoint, follow these steps:

  1. Select the private endpoint you wish to delete, and select Remove on the toolbar.

  2. On the Delete connection dialog box, select Yes to delete the private endpoint.

    Screenshot showing the Private endpoint connection tab with Remove button selected (MQTT).

Next steps

To learn about how to configure IP firewall settings, see Configure IP firewall for Azure Event Grid namespaces.