Open outbound port requirements and IP address whitelisting


Open outbound ports

We often get questions on which ports need to be open or how do I know which IP address to white list in my firewall.

Here is a short summary and a few references which should clarify the topic for outbound ports:

First of all it depends on if you use the old or the new client or if you use the rest APIs. The AMQP protocol guide actually has good guidance in the below article, under the section "Connections and Sessions":

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide

Key points from above article:

  • Azure Service Bus requires the use of TLS at all times.
  • It supports connections over TCP port 5671 and over TCP port 5672. The server immediately offers a mandatory upgrade to TLS using the AMQP-prescribed model. The AMQP WebSockets binding creates a tunnel over TCP port 443 that is then equivalent to AMQP 5671 connections.
  • Both modern (.Net Standard and Java) clients use AMQP, hence the above guidance applies.
  • The older .NET library has a custom, WCF based protocol that used TCP over port 9354 (called SBMP, SB Messaging Protocol).
  • If you solely use our rest API you may be able to open only port 443.

IP address white listing

To find the right IP addresses to white list for your connections you can for example do the following. Either copy the namespace URL from the connection string or typically you can just use YourNamespaceName.servicebus.windows.net and then open a command prompt and execute: nslookup YourNamespaceName.servicebus.windows.net. The IP address returned in "Non-authoritative answer" is what you are looking for.

Please note: This IP address is static. The only point in time it would change is if we e.g. would restore the namespace on to a different cluster which is not anything we would normally do without some severe incident happening.

Comments (0)

Skip to main content