Access Event Hub on Private Endpoint from external
I currently have an Event Hub on a private endpoint. I am trying to allow a partner access to the event hub through our firewalls.
Currently we are trying to connect using AMQP and the endpoint connection string. Obviously using the FQDN doesn't work as there is no public IP address for the event hub. Changing the FQDN for the Firewall IP address in the string returns a certificate error, I presume this is because Event Hub is expecting an FQDN and not and IP in the request string.
What can be done within the chain (Send source, load balancer, firewall, event hub) to allow for the connection?
Thank you Riccardo
As I was stuck on this for a day, here's the solution for future users who land on this:
You need to create a Private DNS Zone so that the FQDN resolves to the private IP address of your endpoint. This way, you are still using a private endpoint to connect to event hub and the service can use the FQDN hostname of the event hub and there will be no certificate error.
There are two ways to create the Private DNS Zone:
-
While creating the endpoint:
There is an option to integrate with a private DNS zone in the "Configuration" tab. Select yes and keep the default values. Note that this option is disabled and set to No if you use the resource id to create the endpoint (i.e. by using "Connect to an Azure resource by resource ID or alias" option in the previous Resource tab)
-
After creating the endpoint:
If you need to add the DNS zone after you have created the endpoint without one,
- Create a Private DNS Zone manually with the name privatelink.servicebus.windows.net. Note that the name has to be this exactly, you cannot use a random name for the zone.
- Once the DNS zone is created, go to the DNS zone resource and go to "Virtual network links" tab and add a link to the VNET your endpoint is in.
- Go to the private endpoint resource and go to the "DNS configuration" tab and click on "Add Configuration" button at the top. Select the DNS zone you created in the last step and leave everything else as is.
- Once this is saved, verify by doing
nslookup <event-hubs-namespace-name>.servicebus.windows.net
from your VM and you'll get the private IP address.