Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access to Service Bus Namespaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public network access (i.e. all network access) to Microsoft Azure Service Bus namespaces is disabled in order to enhance security by preventing unauthorized access.

Security

When an Azure Service Bus namespace is publicly accessible, all hosts and networks, including the Internet, can access the namespace using an access key, increasing the risk of unauthorized access, potential security breaches, and compliance violations. To limit access to selected, trusted networks, you must configure network access rules for your Service Bus namespaces. This allows traffic from trusted IP addresses only, preventing unauthorized access attempts and protecting your sensitive data.

Audit

To determine whether public network access to your Azure Service Bus namespaces is disabled, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Service Bus Namespace, and choose Apply to list only the Microsoft Azure Service Bus namespaces available in the selected subscription.

05 Click on the name (link) of the Azure Service Bus namespace that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected namespace. If Networking is not available, the selected Service Bus namespace is not using the Premium pricing tier. Private network access settings are only available on Premium namespaces.

07 Select the Public access tab and check the Public network access configuration setting to determine the level of access configured for the selected namespace. If Public network access is set to All networks, all networks, including the Internet, can access your resource, therefore, the public network access to the selected Microsoft Azure Service Bus namespace is not disabled.

08 Repeat steps no. 5 – 7 for each Azure Service Bus namespace available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run servicebus namespace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Service Bus namespace available in the current subscription: 

az servicebus namespace list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested namespace identifiers: 

Name                    ResourceGroup
---------------------   ------------------------------
tm-project5-namespace   cloud-shell-storage-westeurope
tm-dev-bus-namespace    cloud-shell-storage-westeurope

03 Run servicebus namespace show command (Windows/macOS/Linux) with the name of the Azure Service Bus namespace that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected namespace is disabled: 

az servicebus namespace network-rule-set show
  --namespace-name tm-project5-namespace
  --resource-group cloud-shell-storage-westeurope
  --query '{publicNetworkAccess:publicNetworkAccess,ipRules:ipRules}'

04 The command output should return the IP rules used by the selected namespace for IP-based access (i.e. "ipRules" value) and the status of the "publicNetworkAccess" setting configured for the namespace: 

{
	"ipRules": [],
	"publicNetworkAccess": "Enabled"
}

If the servicebus namespace network-rule-set show command output returns an empty array (i.e. []) for "ipRules" and "Enabled" for "publicNetworkAccess", as shown in the example above, all networks, including the Internet, can access your resource, therefore, the public network access to the selected Microsoft Azure Service Bus namespace is not disabled.

05 Repeat step no. 3 and 4 for each Azure Service Bus namespace available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to your Microsoft Azure Service Bus namespaces, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Service Bus Namespace, and choose Apply to list only the Microsoft Azure Service Bus namespaces available in the selected subscription.

05 Click on the name (link) of the Azure Service Bus namespace that you want to configure.

06 In the navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected namespace. If Networking is not available, the selected Service Bus namespace is not using the Premium pricing tier. Private network access settings are only available on Premium namespaces.

07 Select the Public access tab and perform the following actions:

  1. For Public network access choose Selected networks.
  2. Under Firewall, for Address range, provide a public IP address range or an individual IP address in the IP address or CIDR box, using CIDR notation. (Optional) You can also add your client IP address by checking the Add your client IP address ('xxx.xxx.xxx.xxx') setting checkbox.
  3. To bypass the IP firewall and allow trusted Azure services to access your namespace, set Allow trusted Microsoft services to bypass this firewall to Yes.
  4. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 - 7 for each Azure Service Bus namespace that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run servicebus namespace update command (Windows/macOS/Linux) with the name of the Azure Service Bus namespace that you want to configure as the identifier parameter, to disable public network access to the selected namespace by setting the --public-network-access parameter to Disabled: 

az servicebus namespace update
  --name tm-project5-namespace
  --resource-group cloud-shell-storage-westeurope
  --public-network-access Disabled

02 The command output should return the information available for the configured namespace: 

{
	"createdAt": "2024-08-16T09:06:00.3194946Z",
	"disableLocalAuth": false,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ServiceBus/namespaces/tm-project5-namespace",
	"location": "westeurope",
	"metricId": "abcd1234-abcd-1234-abcd-1234abcd1234:tm-project5-namespace",
	"minimumTlsVersion": "1.2",
	"name": "tm-project5-namespace",
	"premiumMessagingPartitions": 0,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"serviceBusEndpoint": "https://tm-project5-namespace.servicebus.windows.net:443/",
	"sku": {
		"name": "Standard",
		"tier": "Standard"
	},
	"status": "Active",
	"tags": {},
	"type": "Microsoft.ServiceBus/Namespaces",
	"updatedAt": "2024-08-16T11:12:00.7249203Z",
	"zoneRedundant": false
}

03 To allow access from specific, trusted public IP addresses or IP ranges, run servicebus namespace network-rule-set ip-rule add command (Windows/macOS/Linux) to add an IP rule for an individual IPv4 address or IPv4 address range. Replace \<public-ip-address\> with your public IPv4 address or CIDR range: 

az servicebus namespace network-rule-set ip-rule add
  --namespace-name tm-project5-namespace
  --resource-group cloud-shell-storage-westeurope
  --ip-rule ip-address=<public-ip-address> action=Allow

04 The command output should return the information available for the configured Service Bus namespace: 

{
	"defaultAction": "Allow",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ServiceBus/namespaces/tm-project5-namespace/networkRuleSets/default",
	"ipRules": [
	  {
		"action": "Allow",
		"ipMask": "<public-ip-address>"
	  }
	],
	"location": "westeurope",
	"name": "default",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"trustedServiceAccessEnabled": false,
	"type": "Microsoft.ServiceBus/Namespaces/NetworkRuleSets",
	"virtualNetworkRules": []
}

05 Repeat steps no. 1 - 4 for each Azure Service Bus namespace that you want to configure, available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Related ServiceBus rules