Ensure Service Bus namespaces disable public network access

Azure Remediation

Service-wide fix (recommended): move sensitive Service Bus workloads to private connectivity and make public exposure an explicit exception.

When to use service-wide remediation

Use the service-wide path when many namespaces are exposed or when messaging is part of a platform service used by multiple teams.

Azure portal

1. Open the affected Service Bus namespace.
2. Go to Networking.
3. Set Public network access to Disabled.
4. Create and approve a Private endpoint for each network that must connect.
5. Validate that name resolution and client connectivity work over the private path.

Azure CLI

Update the namespace network rule set to disable public network access:

az servicebus namespace network-rule-set update \
  --resource-group <resource-group> \
  --namespace-name <namespace-name> \
  --public-network-access Disabled

Validate the setting:

az servicebus namespace network-rule-set show \
  --resource-group <resource-group> \
  --namespace-name <namespace-name>

Operational notes

• Private endpoints and the Networking experience are strongest in Premium tier deployments. If your current tier cannot support the target architecture, plan a migration instead of accepting permanent public exposure.
• If you must keep public access temporarily, restrict exposure with selected networks and IP rules while the private connectivity rollout is being completed.

References

• https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security
• https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-service-endpoints
• https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace/network-rule-set?view=azure-cli-lts