Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
IoT Hub supports data egress to other services through routing to custom endpoints, file upload, and device identity export. For extra security in an enterprise environment, use the restrictOutboundNetworkAccess
API to restrict an IoT hub egress to only explicitly approved destinations. Currently, this feature isn't available in Azure portal.
To enable the feature, use any method to update the IoT Hub resource properties (a PUT
) to set the restrictOutboundNetworkAccess
to true
while including an allowedFqdnList
containing Fully Qualified Domain Names (FQDNs) as an array.
An example showing the JSON representation to use with the create or update method:
{
...
"properties": {
...
"restrictOutboundNetworkAccess": true,
"allowedFqdnList": [
"my-eventhub.servicebus.chinacloudapi.cn",
"iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.chinacloudapi.cn"
]
...
},
"sku": {
"name": "S1",
"capacity": 1
}
}
}
}
To make the same update using Azure CLI, run
az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --set properties.restrictOutboundNetworkAccess=true properties.allowedFqdnList="['my-eventhub.servicebus.chinacloudapi.cn','iothub-ns-built-in-endpoint-2917414-51ea2487eb.servicebus.chinacloudapi.cn']"
Once restrictOutboundNetworkAccess
is set to true
, attempts to emit data to destinations outside of the allowed FQDNs fail. Even existing configured routes stop working if the custom endpoint isn't included in the allowed FQDN list.
If restrictOutboundNetworkAccess
is set to true
, the built-in event hub compatible endpoint isn't exempt for the restriction. In other words, you must include the built-in endpoint FQDN in the allowed FQDN list for it to continue to work.
- To use managed identity for data egress, see IoT Hub support for managed identities.
- To restrict inbound network access, see Managing public network access for your IoT hub and IoT Hub support for virtual networks with Private Link.