Clarification on Bot WebApp communication to the Azure Bot Service

[LucianFrango]

Can there please be clarity on the communicaiton flow from the AppService hosting the bot to the Azure Bot Connector service? My understanding is that the Bot would still need to communicate outbound from the AppService to the Bot Connector service.

Can you please confirm if Teams would also need to communicate to the Bot Connector service? So that process would be direct to the Bot Connector, via public IP/internet.

Lastly, Private Link does not outline the Azure Bot Service/Connector as an available service that PL supports- see https://docs.microsoft.com/en-us/azure/private-link/availability. So does this solution align to that?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 62849df7-a49c-f17e-6876-c3da5954789a
• Version Independent ID: a412df8a-f876-d501-6aec-5bc1f010deaa
• Content: Secure your Microsoft Teams channel bot and web app behind a firewall - Azure Example Scenarios
• Content Source: docs/example-scenario/teams/securing-bot-teams-channel.yml
• Service: architecture-center
• Sub-service: example-scenario
• GitHub Login: @ajafry
• Microsoft Alias: aljafry

[MayankBargali-MSFT]

@LucianFrango Thanks for the feedback! I have assigned the issue to the content author to investigate further and update the document as appropriate.

[clibreroacevedo]

@MayankBargali-MSFT @LucianFrango Hi,

do you know if there is any update on the case? I am interested and I don't know how to do it, I have the same problem that @LucianFrango

[v-fearam]

@LucianFrango,

Sorry for the delay.

The bot application logic is hosted in Azure App Service. The App service is moved to private mode:

• The incoming message is managed by App Service private endpoint. It is not possible to be accessed by the internet.

• The outgoing message is controlled by App Service Integration. All the traffic is sent to a private Vnet, and then controlled by Vnet rules.

The Vnet has an Azure Firewall that exposes a single public IP address that clients can use to communicate with the underlying bot services. The route table, associated with it, instructs Azure to route traffic that isn't within the address prefix of any other route to the subnet where the Azure Firewall instance is deployed. Then the outbound App service traffic arrives at the Azure Firewall which manages the internet connectivity, and in that way the message arrives to Teams.

The incoming traffic from Teams arrives at the Azure Firewall, and the app domain name is translated to the private link IP inside the VNET, finally the traffic arrives at the App Service.

I will close the ticket. If you would like to help add more details to the article, you might consider submitting an update as a contribution, see: http://aka.ms/aac/contribute for details.

#please-close