Azure Service Bus: Required Firewall Rules – ‘watchdog….’

by | Jun 21, 2011 | BizTalk Community Blogs via Syndication | 0 comments

So you’ve got an on-premise WCF Service and you’re going to expose the endpoint to the Cloud via ServiceBus.

I’m with a client excited about the prospect of Azure and using ServiceBus for connectivity
for our local WCF Services.

Remember ServiceBus is touted as the firewall friend communications mechanism.

Should be pretty easy right? – just follow an article like – http://msdn.microsoft.com/en-us/library/ee732535.aspx

If you are on a Secure Server – i.e. one that doesn’t have default open slather
access to the internet by default you will fall well short.
(nb: the Azure ServiceBus documentation is a little thin here also. ie no mention
whatsoever)

You will get ‘can’t contact watchdog.servicebus.windows.net’ and many others….So….

After much head banging Scotty sat down
one rainy day and looked at the full conversation to establish a connection to the
cloud via Service Bus

NB: XXXX is your ServiceBus endpoint name you configured in the Azure Management Portal
earlier. This endpoint lives in the Azure Singapore Data Center

When
ConnectionMode = TCP (Hybrid)
1.       CNAME
lookup for watchdog.servicebus.windows.net >
returns ns-sb-prod-sn1-001.cloudapp.net
2.       Connect
to ns-sb-prod-sn1-001.cloudapp.net (port 9350)
3.       CNAME
lookup for XXXX-sb.accesscontrol.windows.net returns ns-ac-prod-sin-001.cloudapp.net
4.       Connect
to ns-ac-prod-sin-001.cloudapp.net (port 443)
5.       CNAME
lookup for XXXX.servicebus.windows.net returns ns-sb-prod-sin-001.cloudapp.net
6.       Connect
to ns-sb-prod-sin-001.cloudapp.net (port 9351)
 
When
ConnectionMode = Http
1.       CNAME
lookup for XXXX-sb.accesscontrol.windows.net returns ns-ac-prod-sin-001.cloudapp.net
2.       Connect
to ns-ac-prod-sin-001.cloudapp.net (port 443)
3.       CNAME
lookup for XXXX.servicebus.windows.net returns ns-sb-prod-sin-001.cloudapp.net
4.       Connect
to ns-sb-prod-sin-001.cloudapp.net (port 80)
 
Also,
when we lock this down to https endpoint step 4 above will be over 443
 
So
the complete firewall rules to support both modes should be:
%u00b7         watchdog.servicebus.windows.net
(9350-9353)
%u00b7         ns-sb-prod-sn1-001.cloudapp.net
(9350-9353)
%u00b7         XXXX-sb.accesscontrol.windows.net
(443)
%u00b7         ns-ac-prod-sin-001.cloudapp.net
(443)
%u00b7         XXXX.servicebus.windows.net
(80, 443, 9350-9353)
%u00b7         ns-sb-prod-sin-001.cloudapp.net
(80, 443, 9350-9353)
 
Note
the difference between ns-sb-prod-sn1-001.cloudapp.net and
the others ns-ac-prod-sin-001.cloudapp.net,
ns-sb-prod-sin-001.cloudapp.net



Hopefully you won’t get caught out at a client site asking for firewall changes, one
at a time as you discover them.

Enjoy,

Mick + big thanks Scotty for the details.

Blog Post by: Mick Badran

Submit a Comment