Manage public network access for your IoT Device Provisioning Service
To restrict access to a private endpoint for DPS in your VNet, disable public network access. To do so, use the Azure portal or the publicNetworkAccess
API. You can also allow public access by using the portal or the publicNetworkAccess
API.
Turn off public network access using the Azure portal
To turn off public network access:
Sign in to the Azure portal.
On the left-hand menu or on the portal page, select All resources.
Select your Device Provisioning Service.
In the Settings menu on the left-side, select Networking.
Under Public network access, select Disabled
Select Save.
To turn on public network access:
- Select All networks.
- Select Save.
Disable public network access limitations
Note the following limitations when public network access is disabled:
The DPS instance is accessible only through its VNET private endpoint using Azure Private Link.
You can no longer use the Azure portal to manage enrollments for the DPS instance. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the virtual network(s) configured on the DPS instance. To learn more, see Private endpoint limitations.
DPS endpoint, IP address, and ports after disabling public network access
DPS is a multi-tenant Platform-as-a-Service (PaaS), where different customers share the same pool of compute, networking, and storage hardware resources. DPS's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this DPS public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it.
Disabling public network access is enforced on a specific DPS resource, ensuring isolation. To keep the service active for other customer resources using the public path, its public endpoint remains resolvable, IP addresses discoverable, and ports remain open. This is not a cause for concern as Azure integrates multiple layers of security to ensure complete isolation between tenants. To learn more, see Isolation in the Azure Public Cloud.
IP Filter
If public network access is disabled, all IP Filter rules are ignored. This is because all IPs from the public internet are blocked. To use IP Filter, use the Selected IP ranges option.
Turn on all network ranges
To turn on all network ranges:
- Go to the Azure portal.
- On the left-hand menu or on the portal page, select All resources.
- Select your Device Provisioning Service.
- In the Settings menu on the left-side, select Networking.
- Under Public network access, select All networks
- Select Save.