Configure network access control

Azure SignalR Service allows you to secure and manage access to your service endpoint based on request types and network subsets. When you configure network access control rules, only applications making requests from the specified networks can access your SignalR Service.

Important

An application that accesses a SignalR Service when network access control rules are in effect still requires proper authorization for the request.

Public Network Access

We offer a single, unified switch to simplify the configuration of public network access. The switch has following options:

• Disabled: Completely blocks public network access. All other network access control rules are ignored for public networks.
• Enabled: Allows public network access, which is further regulated by additional network access control rules.

Configure Public Network Access via Portal

1. Go to the SignalR Service instance you want to secure.

2. Select Networking from the left side menu. Select Public access tab:

   

3. Select Disabled or Enabled.

4. Select Save to apply your changes.

Configure Public Network Access via Bicep

The following template disables public network access:

resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
  name: 'foobar'
  location: 'eastus'
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}

Default Action

The default action is applied when no other rule matches.

Configure Default Action via Portal

1. Go to the SignalR Service instance you want to secure.

2. Select Network access control from the left side menu.

   

3. To edit the default action, toggle the Allow/Deny button.

4. Select Save to apply your changes.

Configure Default Action via Bicep

The following template sets the default action to Deny.

resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
  name: 'foobar'
  location: 'eastus'
  properties: {
    networkACLs: {
        defaultAction: 'Deny'
    }
}

Request Type Rules

You can configure rules to allow or deny specified request types for both the public network and each private endpoint.

For example, Server Connections are typically high-privileged. To enhance security, you may want to restrict their origin. You can configure rules to block all Server Connections from public network, and only allow they originate from a specifiec virtual network.

If no rule matches, the default action is applied.

Configure Request Type Rules via Portal

1. Go to the SignalR Service instance you want to secure.

2. Select Network access control from the left side menu.

   

3. To edit public network rule, select allowed types of requests under Public network.

   

4. To edit private endpoint network rules, select allowed types of requests in each row under Private endpoint connections.

   

5. Select Save to apply your changes.

Configure Request Type Rules via Bicep

The following template denies all requests from the public network except client connections. Additionally, it allows only Server Connections, REST API calls, and Trace calls from a specific private endpoint.

The name of the private endpoint connection can be inspected in the privateEndpointConnections sub-resource. It's automatically generated by the system.

resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
  name: 'foobar'
  location: 'eastus'
  properties: {
    networkACLs: {
        defaultAction: 'Deny'
        publicNetwork: {
            allow: ['ClientConnection']
        }
        privateEndpoints: [
            {
                name: 'foo.8e4d6671-8d62-4bb7-8c41-827dde9c1a05'
                allow: ['ServerConnection', 'ClientConnection', 'RESTAPI', 'Trace']
            }
        ]
    }
}

IP Rules

IP rules allow you to grant or deny access to specific public internet IP address ranges. These rules can be used to permit access for certain internet-based services and on-premises networks or to block general internet traffic.

The following restrictions apply:

• You can configure up to 30 rules.
• Address ranges must be specified using CIDR notation, such as 16.17.18.0/24. Both IPv4 and IPv6 addresses are supported.
• IP rules are evaluated in the order they are defined. If no rule matches, the default action is applied.
• IP rules apply only to public traffic and cannot block traffic from private endpoints.

Configure IP Rules via Portal

1. Go to the SignalR Service instance you want to secure.

2. Select Networking from the left side menu. Select Access control rules tab:

   

3. Edit the list under IP rules section.

4. Select Save to apply your changes.

Configure IP Rules via Bicep

The following template has these effects:

• Requests from 123.0.0.0/8 and 2603::/8 are allowed.
• Requests from all other IP ranges are denied.

resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
  name: 'foobar'
  location: 'eastus'
  properties: {
    networkACLs: {
      defaultAction: 'Deny'
      ipRules: [
        {
          value: '123.0.0.0/8'
          action: 'Allow'
        }
        {
          value: '2603::/8'
          action: 'Allow'
        }
        {
          value: '0.0.0.0/0'
          action: 'Deny'
        }
        {
          value: '::/0'
          action: 'Deny'
        }
      ]
    }
  }
}

Next steps

Learn more about Azure Private Link.