0
# Security and Access Control
1
2
Comprehensive security management for Azure Event Hub including authorization rules, access keys, network security, private endpoints, and managed identity configuration. These capabilities ensure secure, controlled access to Event Hub resources in enterprise environments.
3
4
## Capabilities
5
6
### Authorization Rules Management
7
8
Authorization rules control access permissions to namespaces and Event Hubs, defining what operations (Manage, Send, Listen) clients can perform with associated connection strings and access keys.
9
10
```python { .api }
11
class NamespacesOperations:
12
def list_authorization_rules(
13
self,
14
resource_group_name: str,
15
namespace_name: str,
16
**kwargs
17
) -> Iterable[AuthorizationRule]:
18
"""List namespace authorization rules."""
19
20
def create_or_update_authorization_rule(
21
self,
22
resource_group_name: str,
23
namespace_name: str,
24
authorization_rule_name: str,
25
parameters: Union[AuthorizationRule, IO[bytes]],
26
**kwargs
27
) -> AuthorizationRule:
28
"""Create or update namespace authorization rule."""
29
30
def delete_authorization_rule(
31
self,
32
resource_group_name: str,
33
namespace_name: str,
34
authorization_rule_name: str,
35
**kwargs
36
) -> None:
37
"""Delete namespace authorization rule."""
38
39
def get_authorization_rule(
40
self,
41
resource_group_name: str,
42
namespace_name: str,
43
authorization_rule_name: str,
44
**kwargs
45
) -> AuthorizationRule:
46
"""Get namespace authorization rule."""
47
48
def list_keys(
49
self,
50
resource_group_name: str,
51
namespace_name: str,
52
authorization_rule_name: str,
53
**kwargs
54
) -> AccessKeys:
55
"""Get namespace authorization rule access keys."""
56
57
def regenerate_keys(
58
self,
59
resource_group_name: str,
60
namespace_name: str,
61
authorization_rule_name: str,
62
parameters: Union[RegenerateAccessKeyParameters, IO[bytes]],
63
**kwargs
64
) -> AccessKeys:
65
"""Regenerate namespace authorization rule keys."""
66
67
class EventHubsOperations:
68
def list_authorization_rules(
69
self,
70
resource_group_name: str,
71
namespace_name: str,
72
event_hub_name: str,
73
**kwargs
74
) -> Iterable[AuthorizationRule]:
75
"""List Event Hub authorization rules."""
76
77
def create_or_update_authorization_rule(
78
self,
79
resource_group_name: str,
80
namespace_name: str,
81
event_hub_name: str,
82
authorization_rule_name: str,
83
parameters: Union[AuthorizationRule, IO[bytes]],
84
**kwargs
85
) -> AuthorizationRule:
86
"""Create or update Event Hub authorization rule."""
87
88
def delete_authorization_rule(
89
self,
90
resource_group_name: str,
91
namespace_name: str,
92
event_hub_name: str,
93
authorization_rule_name: str,
94
**kwargs
95
) -> None:
96
"""Delete Event Hub authorization rule."""
97
98
def get_authorization_rule(
99
self,
100
resource_group_name: str,
101
namespace_name: str,
102
event_hub_name: str,
103
authorization_rule_name: str,
104
**kwargs
105
) -> AuthorizationRule:
106
"""Get Event Hub authorization rule."""
107
108
def list_keys(
109
self,
110
resource_group_name: str,
111
namespace_name: str,
112
event_hub_name: str,
113
authorization_rule_name: str,
114
**kwargs
115
) -> AccessKeys:
116
"""Get Event Hub authorization rule access keys."""
117
118
def regenerate_keys(
119
self,
120
resource_group_name: str,
121
namespace_name: str,
122
event_hub_name: str,
123
authorization_rule_name: str,
124
parameters: Union[RegenerateAccessKeyParameters, IO[bytes]],
125
**kwargs
126
) -> AccessKeys:
127
"""Regenerate Event Hub authorization rule keys."""
128
```
129
130
#### Usage Example
131
132
```python
133
from azure.mgmt.eventhub.models import AuthorizationRule, AccessRights, RegenerateAccessKeyParameters, KeyType
134
135
# Create namespace-level authorization rule for full management access
136
mgmt_rule_params = AuthorizationRule(
137
rights=[AccessRights.MANAGE, AccessRights.SEND, AccessRights.LISTEN]
138
)
139
140
mgmt_rule = client.namespaces.create_or_update_authorization_rule(
141
resource_group_name="my-resource-group",
142
namespace_name="my-eventhub-namespace",
143
authorization_rule_name="FullAccessRule",
144
parameters=mgmt_rule_params
145
)
146
147
# Create Event Hub-level authorization rule for send-only access
148
send_rule_params = AuthorizationRule(
149
rights=[AccessRights.SEND]
150
)
151
152
send_rule = client.event_hubs.create_or_update_authorization_rule(
153
resource_group_name="my-resource-group",
154
namespace_name="my-eventhub-namespace",
155
event_hub_name="telemetry-events",
156
authorization_rule_name="SendOnlyRule",
157
parameters=send_rule_params
158
)
159
160
# Get access keys for the authorization rule
161
access_keys = client.namespaces.list_keys(
162
resource_group_name="my-resource-group",
163
namespace_name="my-eventhub-namespace",
164
authorization_rule_name="FullAccessRule"
165
)
166
167
print(f"Primary Connection String: {access_keys.primary_connection_string}")
168
print(f"Secondary Key: {access_keys.secondary_key}")
169
170
# Regenerate primary key for security rotation
171
regenerate_params = RegenerateAccessKeyParameters(key_type=KeyType.PRIMARY_KEY)
172
173
new_keys = client.namespaces.regenerate_keys(
174
resource_group_name="my-resource-group",
175
namespace_name="my-eventhub-namespace",
176
authorization_rule_name="FullAccessRule",
177
parameters=regenerate_params
178
)
179
```
180
181
### Network Security Management
182
183
Network security features control access to Event Hub namespaces through IP filtering, virtual network rules, and default access policies to secure network-level access.
184
185
```python { .api }
186
class NamespacesOperations:
187
def create_or_update_network_rule_set(
188
self,
189
resource_group_name: str,
190
namespace_name: str,
191
parameters: Union[NetworkRuleSet, IO[bytes]],
192
**kwargs
193
) -> NetworkRuleSet:
194
"""Create or update network rule set."""
195
196
def get_network_rule_set(
197
self,
198
resource_group_name: str,
199
namespace_name: str,
200
**kwargs
201
) -> NetworkRuleSet:
202
"""Get network rule set."""
203
204
def list_network_rule_set(
205
self,
206
resource_group_name: str,
207
namespace_name: str,
208
**kwargs
209
) -> Iterable[NetworkRuleSet]:
210
"""List network rule sets."""
211
```
212
213
#### Usage Example
214
215
```python
216
from azure.mgmt.eventhub.models import (
217
NetworkRuleSet, DefaultAction, NWRuleSetIpRules,
218
NWRuleSetVirtualNetworkRules, NetworkRuleIPAction
219
)
220
221
# Configure network access rules
222
ip_rules = [
223
NWRuleSetIpRules(
224
ip_mask="192.168.1.0/24",
225
action=NetworkRuleIPAction.ALLOW
226
),
227
NWRuleSetIpRules(
228
ip_mask="10.0.0.0/16",
229
action=NetworkRuleIPAction.ALLOW
230
)
231
]
232
233
vnet_rules = [
234
NWRuleSetVirtualNetworkRules(
235
subnet={"id": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}"},
236
ignore_missing_vnet_service_endpoint=False
237
)
238
]
239
240
network_rule_set = NetworkRuleSet(
241
default_action=DefaultAction.DENY, # Deny by default, allow only specified IPs/VNets
242
virtual_network_rules=vnet_rules,
243
ip_rules=ip_rules,
244
trusted_service_access_enabled=True, # Allow trusted Azure services
245
public_network_access=PublicNetworkAccess.ENABLED
246
)
247
248
network_rules = client.namespaces.create_or_update_network_rule_set(
249
resource_group_name="my-resource-group",
250
namespace_name="my-eventhub-namespace",
251
parameters=network_rule_set
252
)
253
254
print(f"Network rules configured with default action: {network_rules.default_action}")
255
```
256
257
### Private Endpoint Management
258
259
Private endpoints enable secure, private connectivity to Event Hub namespaces through Azure Private Link, ensuring traffic stays within the Azure backbone network.
260
261
```python { .api }
262
class PrivateEndpointConnectionsOperations:
263
def list(
264
self,
265
resource_group_name: str,
266
namespace_name: str,
267
**kwargs
268
) -> Iterable[PrivateEndpointConnection]:
269
"""List private endpoint connections."""
270
271
def create_or_update(
272
self,
273
resource_group_name: str,
274
namespace_name: str,
275
private_endpoint_connection_name: str,
276
parameters: Union[PrivateEndpointConnection, IO[bytes]],
277
**kwargs
278
) -> PrivateEndpointConnection:
279
"""Create or update private endpoint connection."""
280
281
def begin_delete(
282
self,
283
resource_group_name: str,
284
namespace_name: str,
285
private_endpoint_connection_name: str,
286
**kwargs
287
) -> LROPoller[None]:
288
"""Delete private endpoint connection (long-running operation)."""
289
290
def get(
291
self,
292
resource_group_name: str,
293
namespace_name: str,
294
private_endpoint_connection_name: str,
295
**kwargs
296
) -> PrivateEndpointConnection:
297
"""Get private endpoint connection."""
298
299
class PrivateLinkResourcesOperations:
300
def get(
301
self,
302
resource_group_name: str,
303
namespace_name: str,
304
**kwargs
305
) -> PrivateLinkResourcesListResult:
306
"""Get private link resources."""
307
```
308
309
#### Usage Example
310
311
```python
312
from azure.mgmt.eventhub.models import (
313
PrivateEndpointConnection, ConnectionState,
314
PrivateLinkConnectionStatus
315
)
316
317
# List existing private endpoint connections
318
private_connections = client.private_endpoint_connections.list(
319
resource_group_name="my-resource-group",
320
namespace_name="my-eventhub-namespace"
321
)
322
323
for connection in private_connections:
324
print(f"Private Endpoint: {connection.name}")
325
print(f"Connection State: {connection.connection_state.status}")
326
327
# Approve a private endpoint connection
328
connection_state = ConnectionState(
329
status=PrivateLinkConnectionStatus.APPROVED,
330
description="Approved for production use"
331
)
332
333
private_endpoint_connection = PrivateEndpointConnection(
334
connection_state=connection_state
335
)
336
337
approved_connection = client.private_endpoint_connections.create_or_update(
338
resource_group_name="my-resource-group",
339
namespace_name="my-eventhub-namespace",
340
private_endpoint_connection_name="my-private-endpoint-connection",
341
parameters=private_endpoint_connection
342
)
343
344
# Get available private link resources
345
private_link_resources = client.private_link_resources.get(
346
resource_group_name="my-resource-group",
347
namespace_name="my-eventhub-namespace"
348
)
349
350
for resource in private_link_resources.value:
351
print(f"Private Link Resource: {resource.name}")
352
print(f"Group ID: {resource.group_id}")
353
print(f"Required Members: {resource.required_members}")
354
```
355
356
### Network Security Perimeter Configuration
357
358
Advanced network security perimeter management for controlling access boundaries and resource associations in enterprise environments.
359
360
```python { .api }
361
class NetworkSecurityPerimeterConfigurationOperations:
362
def list(
363
self,
364
resource_group_name: str,
365
namespace_name: str,
366
**kwargs
367
) -> Iterable[NetworkSecurityPerimeterConfiguration]:
368
"""List network security perimeter configurations."""
369
370
class NetworkSecurityPerimeterConfigurationsOperations:
371
def begin_create_or_update(
372
self,
373
resource_group_name: str,
374
namespace_name: str,
375
resource_association_name: str,
376
**kwargs
377
) -> LROPoller[None]:
378
"""Create or update network security perimeter configuration (long-running operation)."""
379
```
380
381
#### Usage Example
382
383
```python
384
# List network security perimeter configurations
385
perimeter_configs = client.network_security_perimeter_configuration.list(
386
resource_group_name="my-resource-group",
387
namespace_name="my-eventhub-namespace"
388
)
389
390
for config in perimeter_configs:
391
print(f"Configuration ID: {config.id}")
392
print(f"Perimeter: {config.network_security_perimeter}")
393
394
# Create or update network security perimeter configuration
395
perimeter_operation = client.network_security_perimeter_configurations.begin_create_or_update(
396
resource_group_name="my-resource-group",
397
namespace_name="my-eventhub-namespace",
398
resource_association_name="my-perimeter-association"
399
)
400
401
# Wait for completion
402
perimeter_operation.result()
403
print("Network security perimeter configuration updated")
404
```
405
406
## Types
407
408
```python { .api }
409
class AuthorizationRule(ProxyResource):
410
def __init__(
411
self,
412
rights: Optional[List[Union[str, AccessRights]]] = None,
413
**kwargs: Any
414
): ...
415
416
rights: Optional[List[AccessRights]]
417
418
class AccessKeys:
419
def __init__(
420
self,
421
primary_connection_string: Optional[str] = None,
422
secondary_connection_string: Optional[str] = None,
423
alias_primary_connection_string: Optional[str] = None,
424
alias_secondary_connection_string: Optional[str] = None,
425
primary_key: Optional[str] = None,
426
secondary_key: Optional[str] = None,
427
key_name: Optional[str] = None,
428
**kwargs: Any
429
): ...
430
431
class NetworkRuleSet(ProxyResource):
432
def __init__(
433
self,
434
trusted_service_access_enabled: Optional[bool] = None,
435
default_action: Optional[Union[str, DefaultAction]] = None,
436
virtual_network_rules: Optional[List[NWRuleSetVirtualNetworkRules]] = None,
437
ip_rules: Optional[List[NWRuleSetIpRules]] = None,
438
public_network_access: Optional[Union[str, PublicNetworkAccess]] = None,
439
**kwargs: Any
440
): ...
441
442
class NWRuleSetIpRules:
443
def __init__(
444
self,
445
ip_mask: Optional[str] = None,
446
action: Optional[Union[str, NetworkRuleIPAction]] = None,
447
**kwargs: Any
448
): ...
449
450
class NWRuleSetVirtualNetworkRules:
451
def __init__(
452
self,
453
subnet: Optional[Subnet] = None,
454
ignore_missing_vnet_service_endpoint: Optional[bool] = None,
455
**kwargs: Any
456
): ...
457
458
class PrivateEndpointConnection(ProxyResource):
459
def __init__(
460
self,
461
private_endpoint: Optional[PrivateEndpoint] = None,
462
connection_state: Optional[ConnectionState] = None,
463
provisioning_state: Optional[Union[str, EndPointProvisioningState]] = None,
464
**kwargs: Any
465
): ...
466
467
class ConnectionState:
468
def __init__(
469
self,
470
status: Optional[Union[str, PrivateLinkConnectionStatus]] = None,
471
description: Optional[str] = None,
472
actions_required: Optional[str] = None,
473
**kwargs: Any
474
): ...
475
476
class RegenerateAccessKeyParameters:
477
def __init__(
478
self,
479
key_type: Union[str, KeyType],
480
key: Optional[str] = None,
481
**kwargs: Any
482
): ...
483
484
# Enums
485
class AccessRights(str, Enum):
486
MANAGE = "Manage"
487
SEND = "Send"
488
LISTEN = "Listen"
489
490
class DefaultAction(str, Enum):
491
ALLOW = "Allow"
492
DENY = "Deny"
493
494
class NetworkRuleIPAction(str, Enum):
495
ALLOW = "Allow"
496
497
class PrivateLinkConnectionStatus(str, Enum):
498
PENDING = "Pending"
499
APPROVED = "Approved"
500
REJECTED = "Rejected"
501
DISCONNECTED = "Disconnected"
502
503
class KeyType(str, Enum):
504
PRIMARY_KEY = "PrimaryKey"
505
SECONDARY_KEY = "SecondaryKey"
506
507
class PublicNetworkAccess(str, Enum):
508
ENABLED = "Enabled"
509
DISABLED = "Disabled"
510
SECURED_BY_PERIMETER = "SecuredByPerimeter"
511
```