2

The azure event grid allows an https endpoint (my web hook event handler) to be registered with a subscriber for a topic. So when an event is received by the topic that matches the subscription filter criteria, the event is pushed by the event grid to my https endpoint.

I have a use case where the my https endpoint requires a client certificate to be supplied with this http push mechanism by event grid.

  1. Does event grid allow a way to attach/configure a client certificate, related to the my web hook https endpoint? If so, how do I configure this?
  2. If the client certificate functionality (for push) is currently not available in event grid, what are the other easier security mechanisms that I can employ to keep out unwanted and malicious events push by non-event grid publishers? (Other than firewall rules, white listing of IPs etc.)

Thanks.

Raghu
  • 2,859
  • 4
  • 33
  • 65

2 Answers2

1

For your scenario can be used an EventGridTrigger Function as a subscriber-integrator to your client endpoint. This function will handle forwarding an event message based on your needs.

Update: Other option using a declarative integration for delivery an event grid to the https endpoint with a client certificate authorization is subscribing by Logic Apps and then forwarding to the custom endpoint. The following screen snippet shows this case:

enter image description here

Note, that the Azure Event Grid supports customizing a Webhook subscriber endpoint only at the url address (included a query string). That's documented in the https://learn.microsoft.com/en-us/azure/event-grid/security-authentication as it has been commented by @KenWMSFT.

Roman Kiss
  • 7,925
  • 1
  • 8
  • 21
  • Is this not equivalent to writing custom code for delivery? If so, I am trying to avoid writing any custom code during delivery of the message to subscribers. – Raghu Jan 14 '19 at 22:03
  • yes, this integration requires very lightweight programming (as a part of the server less architecture) in the azure function. The other option using a declarative integration, see my update. – Roman Kiss Jan 15 '19 at 08:07
  • Thank you for detailed explanation. – Raghu Jan 15 '19 at 19:52
1

Both of Roman's answers should work quite well. Depending on your particular constraints and throughput, a third option would be to use Hybrid Connections as an intermediary.

This would involve adding a bit of code at your event handling endpoint to open a WebSocket connection to Hybrid Connections, and then routing your events form Event Grid to Hybrid Connections.

This should allow you to fully circumvent your client certificate issue and would allow for high throughput. The downside is adding some client-side code to open the WebSocket. The best solution for you is highly dependant on your requirements.

Here is a sample on using Hybrid Connections to route events if you choose to go that route.

Bahram Banisadr
  • 312
  • 1
  • 7