Restrict outbound network access for Azure IoT Hub

IoT Hub supports data egress to other services through routing to custom endpoints, file upload, and device identity export. For extra security in an enterprise environment, use the restrictOutboundNetworkAccess API to restrict an IoT hub egress to only explicitly approved destinations. Currently, this feature isn't available in Azure portal.

Enabling the restriction

To enable the feature, use any method to update the IoT Hub resource properties (a PUT) to set the restrictOutboundNetworkAccess to true while including an allowedFqdnList containing Fully Qualified Domain Names (FQDNs) as an array.

An example showing the JSON representation to use with the create or update method:

{
...
            "properties": {
              ...
                "restrictOutboundNetworkAccess": true,
                "allowedFqdnList": [
                    "my-eventhub.servicebus.chinacloudapi.cn",
                    "iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.chinacloudapi.cn"
                ]
              ...
            },
            "sku": {
                "name": "S1",
                "capacity": 1
            }
        }
    }
}

To make the same update using Azure CLI, run

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --set properties.restrictOutboundNetworkAccess=true properties.allowedFqdnList="['my-eventhub.servicebus.chinacloudapi.cn','iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.chinacloudapi.cn']"

Restricting outbound network access with existing routes

Once restrictOutboundNetworkAccess is set to true, attempts to emit data to destinations outside of the allowed FQDNs fail. Even existing configured routes stop working if the custom endpoint isn't included in the allowed FQDN list.

Built-in endpoint

If restrictOutboundNetworkAccess is set to true, the built-in event hub compatible endpoint isn't exempt for the restriction. In other words, you must include the built-in endpoint FQDN in the allowed FQDN list for it to continue to work.

Next steps

• To use managed identity for data egress, see IoT Hub support for managed identities.
• To restrict inbound network access, see Managing public network access for your IoT hub and IoT Hub support for virtual networks with Private Link.