Private Access to Azure Event Hub via DNS

Question

Pulumi · Accepted Answer

To create private access to an Azure Event Hub via DNS, we will use multiple Pulumi resources from the `azure-native` provider. The general steps are as follows:

1. **Create an Azure Event Hubs Namespace:** This will serve as a container for the Event Hub and also dictate the region and features available to the Event Hub.
2. **Create an Event Hub:** The Event Hub within the Namespace is the actual data stream resource where the event data will be sent.
3. **Configure a Namespace Virtual Network Rule:** This restricts access to the Event Hubs Namespace to a specific virtual network (VNet) and a specific subnet within that VNet.
4. **Configure DNS for Private Endpoints:** Create a private DNS zone and link it with the virtual network to resolve the private endpoint of the Event Hub.

The following program will set up these resources using Pulumi with Python. Each resource within the program is annotated with comments to explain its purpose:

```python
import pulumi
from pulumi_azure_native import eventhub as azure_eventhub
from pulumi_azure_native import network as azure_network
from pulumi_azure_native import resources as azure_resources

# Replace these variables with your own desired settings
resource_group_name = 'myResourceGroup'
location = 'eastus'
namespace_name = 'myEventHubNamespace'
event_hub_name = 'myEventHub'
vnet_name = 'myVNet'
subnet_name = 'mySubnet'
dns_zone_name = 'privatelink.servicebus.windows.net'

# Create an Azure Resource Group
resource_group = azure_resources.ResourceGroup('resource_group',
    resource_group_name=resource_group_name)

# Create an Event Hubs Namespace
namespace = azure_eventhub.Namespace('namespace',
    resource_group_name=resource_group.name,
    namespace_name=namespace_name,
    location=location,
    sku=azure_eventhub.SkuArgs(
        name='Standard',
    ))

# Create an Event Hub within the Namespace
event_hub = azure_eventhub.EventHub('event_hub',
    resource_group_name=resource_group.name,
    namespace_name=namespace.name,
    event_hub_name=event_hub_name)

# Create a Virtual Network
vnet = azure_network.VirtualNetwork('vnet',
    resource_group_name=resource_group.name,
    virtual_network_name=vnet_name,
    location=location,
    address_space=azure_network.AddressSpaceArgs(
        address_prefixes=['10.0.0.0/16'],
    ))

# Create a Subnet with Microsoft.ServiceBus service endpoints
subnet = azure_network.Subnet('subnet',
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    subnet_name=subnet_name,
    address_prefix='10.0.0.0/24',
    service_endpoints=['Microsoft.ServiceBus'])

# Create a Private DNS Zone
dns_zone = azure_network.PrivateZone('dns_zone',
    resource_group_name=resource_group.name,
    location='global',
    private_zone_name=dns_zone_name)

# Link the DNS Zone to the VNet
dns_link = azure_network.VirtualNetworkLink('dns_link',
    resource_group_name=resource_group.name,
    private_zone_name=dns_zone.name,
    virtual_network_link_name='link1',
    location='global',
    virtual_network=azure_network.SubResourceArgs(
        id=vnet.id,
    ),
    registration_enabled=True)

# Configure Namespace Virtual Network Rule to secure the Namespace to only VNet private access
network_rule = azure_eventhub.NamespaceVirtualNetworkRule('network_rule',
    resource_group_name=resource_group.name,
    namespace_name=namespace.name,
    virtual_network_rule_name='default',
    virtual_network_subnets=[azure_eventhub.SubnetArgs(
        id=subnet.id,
    )])

# Create a Private Endpoint for the Event Hubs Namespace
private_endpoint = azure_network.PrivateEndpoint('private_endpoint',
    resource_group_name=resource_group.name,
    private_endpoint_name=namespace_name + '-endpoint',
    location=location,
    private_link_service_connections=[azure_network.PrivateLinkServiceConnectionArgs(
        name=namespace_name + '-pls-connection',
        private_link_service_id=namespace.id,
    )],
    subnet=azure_network.SubnetArgs(
        id=subnet.id,
    ))

# Export the Event Hub Namespace and Event Hub name for later use
pulumi.export('event_hub_namespace', namespace.name)
pulumi.export('event_hub_name', event_hub.name)
```

This program does several things:

- It creates a new resource group that will contain all of the resources.
- It sets up an Event Hubs Namespace which is a management container for Event Hubs.
- It defines that Namespace to only accept traffic from a specific subnet within a virtual network, securing it so that traffic to the Event Hub can only originate from within that subnet.
- It sets up a private DNS zone which is used to resolve the private endpoint to the Event Hub within the virtual network, ensuring that DNS resolution is private and the Event Hub isn't accessible from the public Internet.
- Finally, it creates a private endpoint for the Event Hub, further securing network access.

Ensure that the subnet you reference in rule creation exists and has the appropriate service endpoint enabled (Microsoft.ServiceBus). The `registration_enabled` property on the DNS zone link registers the private endpoint with the DNS zone, which is necessary for name resolution within the VNet.

Replace `"myResourceGroup"`, `"eastus"`, `"myEventHubNamespace"`, `"myEventHub"`, `"myVNet"`, `"mySubnet"`, and `"privatelink.servicebus.windows.net"` with your own values as appropriate.

Running this program will deploy the infrastructure as code, handling the creation and configuration of the Azure resources necessary to provide private access to an Azure Event Hub via DNS. Remember to install the `pulumi-azure-native` Pulumi package before running this program.