Contacts: Daniel Evans, CK Kashyap, Mark Franco
Host a bot behind a firewall and enable dialogs with the bot utilizing Groups. The implication of “bot behind a firewall” is that the community connectivity to/from the bot is restricted to solely the vital machines (IP addresses).
The reference community structure beneath illustcharges how a Bot could also be run inside a Digital Community(VNET) that permits site visitors solely to and from a set of IP addresses that belong to Microsoft Groups and Azure Bot Service(ABS). The egress site visitors restrictions are set by the networking guidelines within the firewall and the ingress site visitors restrictions are set utilizing the Community Safety Group (NSG) guidelines of the App GW.
Directions to setup the ASE such that the egress site visitors is routed by the firewall is right here. Set the firewall to prohibit site visitors solely to Groups and ABS by including the next guidelines in a Community Rule Assortment (Guidelines -> Community Rule Assortment)
- IP Tackle rule – enable site visitors from the subnet of the ASE to 22.214.171.124/14
- FQDN rule – enable site visitors from the subnet of the ASE to login.microsoftonline.com
- FQDN rule – enable site visitors from the subnet of the ASE to login.botframework.com
Restrict the ingress site visitors to Groups by including an inbound safety rule to the NSG related to the subnet of the App Gateway. As proven within the snapshot beneath, the inbound site visitors from solely 126.96.36.199/14 to the subnet of the ASE is allowed.