Feature request: enable use of Private Endpoints for a standard tier of Service Bus

[chudytom]

Description

For most use cases, Standard tier of Service Bus is just enough. All the capabilities of the Premium tier are not always needed. However if you want to enable secure access to a Service Bus using Microsoft backbone network using Private Endpoints, you have to migrate your Service Bus to a Premium tier. However the Premium tier seems to be even 60 times more expensive for basic use cases

-->

Actual Behavior

1. Currently in order to be secure and implement Private Endpoints we need to migrate to the Premium Tier of Service Bus. It's been even mentioned in the documentation https://docs.microsoft.com/en-us/azure/service-bus-messaging/private-link-service#important-points

Expected Behavior

1. Enable the use of Private Endpoints in the Standard tier of Service Bus

[EldertGrootenboer]

Thank you for your feedback. However, we are not planning to bring this feature to the Standard tier, due to the internal constraints of our architecture. For advanced networking scenarios, such as integration with VNET, we recommend going to the premium tier.

[chudytom]

@EldertGrootenboer have you considered sth in between? Some capabilities of the Premium tier but with the pricing that isn't 60 times more expensive. In our case at least it means that we will need to replace it e.g. with Kafka. Right now the Premium Service Bus seems simply too expensive

[EldertGrootenboer]

@chudytom We are looking into options for bridging the pricing gap between Standard and Premium, but we don't have more details to share yet.

[chudytom]

@EldertGrootenboer sounds promising. Thank you for the update. Any rough timeline when we can expect more updates?

[EldertGrootenboer]

No specific timelines yet, except that this is in active development.

[SeanFeldman]

No specific timelines yet, except that this is in active development.

In that case the issue should remain opened until the work is completed.

[chudytom]

@EldertGrootenboer I agree with Sean. Can we repoen the issue?

[EldertGrootenboer]

Reopened, although important to note that this is not to track enabling private endpoint on standard tier, but for an alternative to bridge the pricing gap.

[si-te]

The absense of private endpoints for the standard tier is even further problematic, since there is no built-in firewall for the public endpoint, as there is for example with storage accounts or other managed services. This makes the standard tier really only rely on authentication for access control. And even there SAS Tokens (which are required for some usecases) are problematic since they are not bound to an identity provider such as AAD.

Maybe adding an integrated firewall for the public endpoint of standard tier similar to storage accounts would be an acceptable middleground?

[chudytom]

@EldertGrootenboer do we have any progress on bridging the option on Standard vs the Premium tier of Service Bus. It's been over a year since we had some information about the progress

[EldertGrootenboer]

Thank you for your feedback on this item. We are currently actively investigating the possibilities around this feature, however we currently don't have an ETA on when development might start on this. We encourage everyone to share the scenarios where they would like to use this feature, to help us shape it in the best way.

[EldertGrootenboer]

This feature in our backlog, however we currently don't have an ETA on when development might start on this. For now, to help us give this the right priority, it would be helpful to see others vote and support this feature, as well as explain their scenarios.

[zyofeng]

I would strongly vote for this feature. Most of our Azure infrastructure, including SQL, storage accounts, Cosmos DB, and Key Vault, is secured behind VNets and private endpoints.

However, one critical component still missing this is the Service Bus, which is a key element of our service communication backbone, we don't need any other features in the premium tier.

[vpshibin]

Strongly support/vote this feature.

Our Enterprise Security only allows Private endpoint access for Service Bus (and similar PaaS services). And the use cases mostly only need a Standard tier (at least in NonProd). It doesn't make sense to pay 60 times cost for Premium just for the Private endpoint feature.