paulnearney
commented
3 years ago Is there any update on this please?
Open paulnearney opened 3 years ago
paulnearney
commented
3 years ago Is there any update on this please?
paulnearney
commented
3 years ago My customer is getting close to going live with our service, and understandably is nervous about having their web service completely open to the world. Is it possible to get an answer on this please?
1fabi0
commented
3 years ago The Authorization Handler for Communications Client that Microsoft uses in this Samples work with a OAuth flow and only allow traffic from Teams but if you want to secure all API Endpoints you should register your API and use a proper Auth flow eg. with ClientId and Secret for Asp.Net Core
paulnearney
commented
3 years ago Thanks, @1fabi0 - you're right in that the auth provider will validate the auth token coming from the calls from Microsoft, which at least ensures that our traffic comes from the right place. However, this does not do anything to protect us from e.g. DDOS attacks, and adds a small amount of load to the bot. I'd prefer to make sure that all traffic that actually gets as far as the bots is already verified. I could build a service that sits closer to the edge to handle this, but given that everything is Microsoft (Teams, Azure), I'd expect there to be a service tag we could configure in an inbound rule
1fabi0
commented
3 years ago Yes but I guess this is then not a Bot related thing because then you are searching for a NAT rule that only allows Azure traffic, and I think that is not as easy as you expect because Azure is not just a private Network it's a big WAN that's everywhere interacting with the internet, so you should write your own reverse proxy that does this stuff or you just accept the risk of DDoS and scale in case of DDoS of a singel instance of your Bot
paulnearney
commented
3 years ago Well, Service Tags are Microsoft's answer to "a NAT rule that only allows Azure traffic", it just doesn't seem that there's one that identifies traffic from the Teams/Bot Framework infrastructure to a bot, which is surprising. Would still appreciate an official answer on this if anyone from Microsoft is listening
I have an application hosted media bot that only places calls into Teams - it doesn't listen for incoming Teams calls.
Given the application's HTTPS endpoint and media socket are open to the internet, what is the recommended way to ensure they call only be accessed by Teams? I have tried using "AzureBotService" service tag on the inbound firewall rules, but didn't receive any Teams traffic. Is there another service tag I should be using?
Also, how does this advice change for bots that are not hosted in Azure?