| title | Export IoT Central data to a secure virtual network destination |
|---|---|
| description | Learn how to use IoT Central data export to send data to a destination in a secure virtual network. Data export destinations include Blob Storage and Azure Event Hubs. |
| author | dominicbetts |
| ms.author | dobett |
| ms.date | 10/22/2024 |
| ms.topic | how-to |
| ms.service | azure-iot-central |
| services | iot-central |
| ms.custom | sfi-image-nochange |
Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging, or Azure Data Explorer. You can lock down these destinations by using Azure Virtual Network and private endpoints.
Currently, it's not possible to connect an IoT Central application directly to a virtual network for data export. However, because IoT Central is a trusted Azure service, it's possible to configure an exception to the firewall rules and connect to a secure destination on a virtual network. In this scenario, you typically use a managed identity to authenticate and authorize with the destination.
-
An IoT Central application. To learn more, see Create an IoT Central application.
-
Data export configured in your IoT Central application to send device data to a destination such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus, or Azure Data Explorer. The destination must be configured to use a managed identity. To learn more, see Export IoT data to cloud destinations using Blob Storage.
To configure Azure Blob Storage to use a virtual network and private endpoint see:
To configure Azure Event Hubs to use a virtual network and private endpoint see:
- Allow access to Azure Event Hubs namespaces from specific virtual networks
- Allow access to Azure Event Hubs namespaces via private endpoints
To configure Azure Service Bus Messaging to use a virtual network and private endpoint see:
- Allow access to Azure Service Bus namespace from specific virtual networks
- Allow access to Azure Service Bus namespaces via private endpoints
To allow IoT Central to connect to a destination on a virtual network, enable a firewall exception on the virtual network to allow connections from trusted Azure services.
To configure the exception in the Azure portal for Azure Blob Storage, navigate to Networking > Firewalls and virtual networks. Then select Allow Azure services on the trusted services list to access this storage account.:
:::image type="content" source="media/howto-connect-secure-vnet/blob-storage-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Blob Storage virtual network.":::
To configure the exception in the Azure portal for Azure Event Hubs, navigate to Networking > Public access. Then select Yes to allow trusted Microsoft services to bypass this firewall:
:::image type="content" source="media/howto-connect-secure-vnet/event-hubs-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Event Hubs virtual network.":::
To configure the exception in the Azure portal for Azure Service Bus, navigate to Networking > Public access. Then select Yes to allow trusted Microsoft services to bypass this firewall:
:::image type="content" source="media/howto-connect-secure-vnet/service-bus-queue-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Service Bus virtual network.":::
Now that you've learned how to export data to a destination locked down on a virtual network, here's the suggested next step:
[!div class="nextstepaction"] Administer your application.