Azure Service Bus Instance has name parameter (For example,sample-name).
This name used to expose endpoint URL to host
sample-name.servicebus.windows.net
Whats happens if another client choose the same sample-name for another instance of Azure Service Bus?
How it is resolved by Azure?
This name is universal in Azure. If you've created a Namespace with some name, then no other user can create a Namespace with that same name.
Essentially the URL for your Azure Service Bus has to be unique in Azure ecosystem i.e. no two users can have a URL <somename>.servicebus.windows.net.
What this means is that if you have a general Azure Subscription and an Azure Subscription in Germany (or China/US Gov), you could create a namespace with same name in there (one in general region and other in Germany/China/US Gov) as the endpoint domain (e.g. servicebus.windows.net) is different in each of these regions.
Azure checks availability of the namespace. If it's taken, the portal will say so:
Related
I have a resource group on Azure with a web application hosted as an App Service, that uses an Azure SQL Database and storage container for blob storage.
Within the storage account, I want to limit public access within the networking section, to only be enabled from selected virtual networks or IP addresses. If I enable this, I then need to provide access from my App Service within the same resource group. The most appropriate route seems to be by allowing access to resource instance, by adding a resource type by instance name. However, in the drop down list of resource types, there does not seem to be an option for App Service. Is this possible?
I considered allowing specific IP addresses, but the Microsoft documentation suggests that resources in the same region as the storage account use private Azure IP addresses for communication.
• I would suggest you use the private endpoints section since this works almost in the same way as the ‘Resource instance’ type to be selected in the instance name since you want to restrict access to a system-managed assigned identity-based solution like an ‘App service’ wherein the web application is hosted in it.
Thus, for this purpose, you will have to create a private endpoint as shown below with the virtual network deployed in the same region as the storage account as well as the in the same resource group. This will ensure that the private endpoint connection is traversing exclusively through the Microsoft backbone network only. Also, the private DNS zone that is created post creating a private endpoint for the respective blob container or any storage resource that you choose will host the DNS records for that respective storage account resource.
To create a private endpoint, kindly refer to the below snapshots for reference: -
Similarly, in the ‘App Services’ section, you will have to associate the private endpoint created as above in the respective virtual network as shown below. This will ensure that your private endpoint for the storage account resource is selected correctly as above.
• Therefore, in the ‘Microsoft Resource Instance’ section in the storage account, you do not have ‘Microsoft App Services’ as an option by design itself, but through the implementation of private endpoint, we can surely achieve the same as required. Also, ensure to check the option for ‘Allow Azure services on the trusted services list to access this storage account’ as the service ‘Microsoft.AppServices/service’ is in the list of trusted services according to official documentation.
Please find the below links for more details regarding the configuration private endpoint and the Microsoft resource instances in the storage account: -
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-to-trusted-azure-services
https://learn.microsoft.com/en-us/answers/questions/41129/app-service-to-access-storage-account-with-firewal.html
I'm building a queue messaging system in Azure and what I'm trying to do is an outbound message queue container in Azure Storage Queue that allows my desktop Windows Services to get the latest messages from that queue. The problem I'm facing is that I want to have multiple queues per tenant (each Windows service serves one client) in one storage account. As far as I see, there is no way to restrict the connection string access to each queue. On the other hand, it is not practical for me to create one storage account per tenant. What is the best way to restrict client access to one specific queue with the current security methods available in Azure? I was thinking about using Service Bus Queues, but even that doesn't solve the connection string issue I have in the client application.
I think service bus queues is your answer; they allow a multi-subscriber model with "subjects" and various filters etc.
Storage queues are very simplistic and are not the right answer for this particular scenario.
Sorry, on my mobile so haven't got all the relevant docs to hand.
One option is to use AAD identities and Storage's AAD authentication support (which is currently in public preview).
You would need a Service Principal in Azure AD for each tenant for this,
and add the principal to the Storage Queue Data Reader or Storage Queue Data Contributor role on their respective queue.
You can then use the principal's credentials to get an access token that is tenant-specific.
Documentation:
https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-aad-authentication-for-storage/
https://joonasw.net/view/azure-ad-authentication-with-azure-storage-and-managed-service-identity
according to MS there is a Azure Service bus component to on-prem data gateway , however when you install the Azure component no service bus resource created. we need to understand the impact on pricing i.e. is the price of service bus hidden within Azure on prem data gateway ? there is no pricing guidelines for Azure On premise gateway
The On-premises data gateway relies on Azure Service Bus for cloud connectivity and correspondingly establishes outbound connections to its associated Azure region, which means an Azure Service Bus implicitly created when a data gateway is installed.
Created Azure Service Bus will not be shown explicitly. There is no extra cost for it. All you have to pay is for the on-prem data gateway which includes all infrastructure costs(Azure Service Bus).
There is not a licensing cost for the data gateway and data flowing into Azure is free. You pay egress costs which can be calculated using https://azure.microsoft.com/en-us/pricing/details/bandwidth/
I am creating an Azure Service Bus with the Fluent SDK. I want to give my service bus a specific name and increment by one if the name is unavailable.
The problem I am having is that I don't actually know if the name is unavailable at the time of creation.
I'm using this to create a service bus:
var serviceBusNamespace = azure.ServiceBusNamespaces
.Define(serviceBusName)
.WithRegion(Region)
.WithExistingResourceGroup(resourceGroup)
.WithSku(NamespaceSku.Standard)
.Create();
If I run this code for two different resource groups using the same serviceBusName, I get a service bus created in both resources groups without error. However when I go to the Azure portal the first service bus opens fine, but I get an error saying 'Not Found' when trying to open the second.
I understand that servicebus names must be unique across all of Azure, but
Why is the Fluent SDK allowing me to create the second service bus with the same name?
How can I check of the name is unique before creating the service bus?
I tried to ping the service bus URL to see if it exists. For example I tried this, for a URL like serviceBusName.servicebus.windows.net, but that failed.
Why is the Fluent SDK allowing me to create the second service bus with the same name?
You should raise this as an issue with the team that develops the library. In this case, Fluent SDK is produced by .NET Libraries for Azure team. Issue tracker is available here. When raising an issue, label it with Service Bus.
How can I check of the name is unique before creating the service bus?
Operation to provision a new namespace could be enqueued internally. Therefore, when you query for a namespace existence, you might get a negative response while backend is spinning it up. One of the requests will succeed, while another will fail. You'd need to create and query for a result after, checking the status.
Is it possible to add the same roles (Worker Roles) more than once into the same cloud service with different configurations?
They all handle different things from a service bus, so they have neither public nor private endpoints.
All instances of the same role within a cloud service must share the same .cscfg configuration. You could hack around it by externalising some configuration into blob or table storage, which could then be read when a role starts up, by keying a specific instance's settings using its instance number, e.g. Instance1 consumes Service Bus topic "invoice", Instance2 consumes "order", etc.
However, your best bet is to deploy the worker roles with different configurations into multiple cloud services, which will also allow you to scale out each service independently.