Restrict outbound network access for Azure IoT Hub
IoT Hub supports data egress to other services through routing to custom endpoints, file upload, and device identity export. For extra security in an enterprise environment, use the restrictOutboundNetworkAccess API to restrict an IoT hub egress to only explicitly approved destinations. Currently, this feature isn't available in Azure portal.
Enabling the restriction
To enable the feature, use any method to update the IoT Hub resource properties (a PUT) to set the restrictOutboundNetworkAccess to true while including an allowedFqdnList containing Fully Qualified Domain Names (FQDNs) as an array.
An example showing the JSON representation to use with the create or update method:
{
...
"properties": {
...
"restrictOutboundNetworkAccess": true,
"allowedFqdnList": [
"my-eventhub.servicebus.windows.net",
"iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.windows.net"
]
...
},
"sku": {
"name": "S1",
"capacity": 1
}
}
}
}
To make the same update using Azure CLI, run
az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --set properties.restrictOutboundNetworkAccess=true properties.allowedFqdnList="['my-eventhub.servicebus.windows.net','iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.windows.net']"
Restricting outbound network access with existing routes
Once restrictOutboundNetworkAccess is set to true, attempts to emit data to destinations outside of the allowed FQDNs fail. Even existing configured routes stop working if the custom endpoint isn't included in the allowed FQDN list.
Built-in endpoint
If restrictOutboundNetworkAccess is set to true, the built-in event hub compatible endpoint isn't exempt for the restriction. In other words, you must include the built-in endpoint FQDN in the allowed FQDN list for it to continue to work.
Next steps
- To use managed identity for data egress, see IoT Hub support for managed identities.
- To restrict inbound network access, see Managing public network access for your IoT hub and IoT Hub support for virtual networks with Private Link.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for