1. Private Access to Azure Event Hub via DNS


    To create private access to an Azure Event Hub via DNS, we will use multiple Pulumi resources from the azure-native provider. The general steps are as follows:

    1. Create an Azure Event Hubs Namespace: This will serve as a container for the Event Hub and also dictate the region and features available to the Event Hub.
    2. Create an Event Hub: The Event Hub within the Namespace is the actual data stream resource where the event data will be sent.
    3. Configure a Namespace Virtual Network Rule: This restricts access to the Event Hubs Namespace to a specific virtual network (VNet) and a specific subnet within that VNet.
    4. Configure DNS for Private Endpoints: Create a private DNS zone and link it with the virtual network to resolve the private endpoint of the Event Hub.

    The following program will set up these resources using Pulumi with Python. Each resource within the program is annotated with comments to explain its purpose:

    import pulumi from pulumi_azure_native import eventhub as azure_eventhub from pulumi_azure_native import network as azure_network from pulumi_azure_native import resources as azure_resources # Replace these variables with your own desired settings resource_group_name = 'myResourceGroup' location = 'eastus' namespace_name = 'myEventHubNamespace' event_hub_name = 'myEventHub' vnet_name = 'myVNet' subnet_name = 'mySubnet' dns_zone_name = 'privatelink.servicebus.windows.net' # Create an Azure Resource Group resource_group = azure_resources.ResourceGroup('resource_group', resource_group_name=resource_group_name) # Create an Event Hubs Namespace namespace = azure_eventhub.Namespace('namespace', resource_group_name=resource_group.name, namespace_name=namespace_name, location=location, sku=azure_eventhub.SkuArgs( name='Standard', )) # Create an Event Hub within the Namespace event_hub = azure_eventhub.EventHub('event_hub', resource_group_name=resource_group.name, namespace_name=namespace.name, event_hub_name=event_hub_name) # Create a Virtual Network vnet = azure_network.VirtualNetwork('vnet', resource_group_name=resource_group.name, virtual_network_name=vnet_name, location=location, address_space=azure_network.AddressSpaceArgs( address_prefixes=[''], )) # Create a Subnet with Microsoft.ServiceBus service endpoints subnet = azure_network.Subnet('subnet', resource_group_name=resource_group.name, virtual_network_name=vnet.name, subnet_name=subnet_name, address_prefix='', service_endpoints=['Microsoft.ServiceBus']) # Create a Private DNS Zone dns_zone = azure_network.PrivateZone('dns_zone', resource_group_name=resource_group.name, location='global', private_zone_name=dns_zone_name) # Link the DNS Zone to the VNet dns_link = azure_network.VirtualNetworkLink('dns_link', resource_group_name=resource_group.name, private_zone_name=dns_zone.name, virtual_network_link_name='link1', location='global', virtual_network=azure_network.SubResourceArgs( id=vnet.id, ), registration_enabled=True) # Configure Namespace Virtual Network Rule to secure the Namespace to only VNet private access network_rule = azure_eventhub.NamespaceVirtualNetworkRule('network_rule', resource_group_name=resource_group.name, namespace_name=namespace.name, virtual_network_rule_name='default', virtual_network_subnets=[azure_eventhub.SubnetArgs( id=subnet.id, )]) # Create a Private Endpoint for the Event Hubs Namespace private_endpoint = azure_network.PrivateEndpoint('private_endpoint', resource_group_name=resource_group.name, private_endpoint_name=namespace_name + '-endpoint', location=location, private_link_service_connections=[azure_network.PrivateLinkServiceConnectionArgs( name=namespace_name + '-pls-connection', private_link_service_id=namespace.id, )], subnet=azure_network.SubnetArgs( id=subnet.id, )) # Export the Event Hub Namespace and Event Hub name for later use pulumi.export('event_hub_namespace', namespace.name) pulumi.export('event_hub_name', event_hub.name)

    This program does several things:

    • It creates a new resource group that will contain all of the resources.
    • It sets up an Event Hubs Namespace which is a management container for Event Hubs.
    • It defines that Namespace to only accept traffic from a specific subnet within a virtual network, securing it so that traffic to the Event Hub can only originate from within that subnet.
    • It sets up a private DNS zone which is used to resolve the private endpoint to the Event Hub within the virtual network, ensuring that DNS resolution is private and the Event Hub isn't accessible from the public Internet.
    • Finally, it creates a private endpoint for the Event Hub, further securing network access.

    Ensure that the subnet you reference in rule creation exists and has the appropriate service endpoint enabled (Microsoft.ServiceBus). The registration_enabled property on the DNS zone link registers the private endpoint with the DNS zone, which is necessary for name resolution within the VNet.

    Replace "myResourceGroup", "eastus", "myEventHubNamespace", "myEventHub", "myVNet", "mySubnet", and "privatelink.servicebus.windows.net" with your own values as appropriate.

    Running this program will deploy the infrastructure as code, handling the creation and configuration of the Azure resources necessary to provide private access to an Azure Event Hub via DNS. Remember to install the pulumi-azure-native Pulumi package before running this program.