azure-service-bus
azure-service-bus copied to clipboard
Feature request: enable use of Private Endpoints for a standard tier of Service Bus
Description
For most use cases, Standard tier of Service Bus is just enough. All the capabilities of the Premium tier are not always needed. However if you want to enable secure access to a Service Bus using Microsoft backbone network using Private Endpoints, you have to migrate your Service Bus to a Premium tier. However the Premium tier seems to be even 60 times more expensive for basic use cases
-->
Actual Behavior
- Currently in order to be secure and implement Private Endpoints we need to migrate to the Premium Tier of Service Bus. It's been even mentioned in the documentation https://docs.microsoft.com/en-us/azure/service-bus-messaging/private-link-service#important-points
Expected Behavior
- Enable the use of Private Endpoints in the Standard tier of Service Bus
Thank you for your feedback. However, we are not planning to bring this feature to the Standard tier, due to the internal constraints of our architecture. For advanced networking scenarios, such as integration with VNET, we recommend going to the premium tier.
@EldertGrootenboer have you considered sth in between? Some capabilities of the Premium tier but with the pricing that isn't 60 times more expensive. In our case at least it means that we will need to replace it e.g. with Kafka. Right now the Premium Service Bus seems simply too expensive
@chudytom We are looking into options for bridging the pricing gap between Standard and Premium, but we don't have more details to share yet.
@EldertGrootenboer sounds promising. Thank you for the update. Any rough timeline when we can expect more updates?
No specific timelines yet, except that this is in active development.
No specific timelines yet, except that this is in active development.
In that case the issue should remain opened until the work is completed.
@EldertGrootenboer I agree with Sean. Can we repoen the issue?
Reopened, although important to note that this is not to track enabling private endpoint on standard tier, but for an alternative to bridge the pricing gap.
@EldertGrootenboer giving how much messaging is central to todays' architecture and the high stakes regarding current Cyber Security audit and assessments, this is a huge turn off from small to even large-ish projects.
I've been consulting for several startups and the decision is simply to not use Service Bus. Security will take the lead on this one. They prefer to run a RabbitMQ VM than to expose their data to the internet.
How are Solution Architects supposed to sign-off a project design that is either overly expensive, or inherently insecure?
Other services, even with Basic tier, enable private endpoints, such as App Services and SQL Database.
"Public Access" is a big no no.
The absense of private endpoints for the standard tier is even further problematic, since there is no built-in firewall for the public endpoint, as there is for example with storage accounts or other managed services. This makes the standard tier really only rely on authentication for access control. And even there SAS Tokens (which are required for some usecases) are problematic since they are not bound to an identity provider such as AAD.
Maybe adding an integrated firewall for the public endpoint of standard tier similar to storage accounts would be an acceptable middleground?
@EldertGrootenboer do we have any progress on bridging the option on Standard vs the Premium tier of Service Bus. It's been over a year since we had some information about the progress
Thank you for your feedback on this item. We are currently actively investigating the possibilities around this feature, however we currently don't have an ETA on when development might start on this. We encourage everyone to share the scenarios where they would like to use this feature, to help us shape it in the best way.