'Selected Network' means public! unless ip is added

[omerzubair]

This "Selected Network" behaviour is very different from other PaaS resources and also accepts internal IP address. Other PaaS resources share the same screen (example storage account does not accept internal ip address)

To summarise:

• Weather the radio button is “All networks” or “Selected Networks” then the firewall is open to public. Until we add atleast one IP to the firewall? • We want to only communicate with service bus via privateendpoint, so should we add the complete internal VNET address in the firewall, in addition to privateendpoint config?

It would be great for Service bus Networking/Firewall screen to be different. IMO at least add a Note on it i.e 'The "Selected Network" without atleast one ip address is deemed public!'

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 837fb356-5b57-1834-3a27-947d6fbea90e
• Version Independent ID: b5b26db9-4a31-27d7-5961-bff59fda29f8
• Content: Integrate Azure Service Bus with Azure Private Link Service - Azure Service Bus
• Content Source: articles/service-bus-messaging/private-link-service.md
• Service: service-bus-messaging
• GitHub Login: @spelluru
• Microsoft Alias: spelluru

[ChaitanyaNaykodi-MSFT]

Hello @omerzubair, Thank you for your feedback! We will review and update as appropriate.

[ChaitanyaNaykodi-MSFT]

Hello @omerzubair, apologies for the delay. When Selected Networks option is selected at least one IP firewall rule should be added as quoted in the document.

By default, the Selected networks option is selected. If you don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

Regarding the second part, yes you have to add your internal VNET address range to Selected Networks so that it is only accessible via the VNET, you can go through this documentation for any additional information. We will now proceed to close this issue out, please tag me in your reply if there any additional concerns. Thank you!

[omerzubair]

Hi @Chanitanya Thanks for the reply. I was looking for some reasoning why this PaaS service sharing the same screen with itger PaaS service behave differently. There is no Note on screen. Yes i was able to see this in documentation however not clear by looking at the PaaS screen on portal.

Further more how can SaaS (CRM/O365) reach internal private service bus?

[JimmyArchitect]

I agree with @omerzubair, it is confusing when working with private endpoints. Why when I add a private endpoint, do I also need to create an endpoint in the Selected Networks to avoid the Service Bus being available externally? Could you please provide an example - or update the document to explain how you would set it up via private endpoint only - and how it would need to be setup under the "firewall and virtual networks tab"? This does seem to work differently to other PAAS services when I have enabled private link before.