Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0082

An Event Hubs namespace with public network access enabled puts your event stream at the internet edge

Event Hubs namespaces allow traffic over the public network by default. The stream carrying your telemetry and business events is reachable from anywhere, and authentication is the only gate.

Footgun ID
AZF-0082 (Azure Footgun No. 82)
Azure service
Azure Event Hubs
Resource type
Microsoft.EventHub/namespaces
Updated
July 9, 2026

What it is

An Event Hubs namespace whose publicNetworkAccess property is set to Enabled, which is how Azure creates it. The namespace FQDN resolves publicly and accepts AMQP, Kafka, and HTTPS connections from any address on the internet. Whatever flows through those hubs, application telemetry, clickstreams, IoT readings, change feeds between systems, sits one authentication check away from anyone who finds the endpoint.

Impact (security)
Namespace endpoints (AMQP, Kafka, HTTPS) reachable from any network on the public internet, gated only by keys and identity
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Public access is the default because it is the path of least friction: the quickstart works, the Kafka client connects, the Function trigger fires, all without touching networking. Nothing in the create flow asks whether the namespace should be private, so a namespace stood up in a hurry tends to stay public.

Event Hubs also gets mentally filed as "plumbing" rather than "data". Teams that would never expose a database review an event stream less carefully, even though the stream often carries the same records in motion. And unlike some services, the namespace firewall lives in a separate networkRuleSets child resource that many templates never define, so there is frequently no IP restriction layered on top of the open endpoint either.

Closing it means setting publicNetworkAccess to Disabled and reaching the namespace over a private endpoint (supported on the Standard tier and above), or at minimum constraining the endpoint with network rules.

What it costs / blast radius

The blast radius is every event hub in the namespace. An attacker who obtains any working credential, a SAS key in a connection string, a leaked Kafka password (which for Event Hubs is usually the connection string itself), can read the live stream, replay retained events, or inject forged ones that downstream consumers process as real. Because the endpoint is public, that credential works from anywhere on earth, not just from inside your network. A public endpoint also invites credential-stuffing and enumeration traffic that a private namespace simply never sees. (Authored assessment of Azure behavior, not a measured statistic.)

See it

Footgun: the default — the namespace answers on the public internet
resource ehns 'Microsoft.EventHub/namespaces@2024-01-01' = {
  name: 'ehns-telemetry-prod'
  location: location
  sku: { name: 'Standard', tier: 'Standard' }
  properties: {
    publicNetworkAccess: 'Enabled'  // any internet address can connect
  }
}
Fix: disable public access and reach the namespace over Private Link
resource ehns 'Microsoft.EventHub/namespaces@2024-01-01' = {
  name: 'ehns-telemetry-prod'
  location: location
  sku: { name: 'Standard', tier: 'Standard' }  // Private Link needs Standard or above
  properties: {
    publicNetworkAccess: 'Disabled'  // only private endpoints reach it
  }
}

// Then connect producers and consumers through a private endpoint
// (Microsoft.Network/privateEndpoints targeting the namespace) so
// traffic stays on your VNet instead of the public internet.

How StratoLens helps

StratoLens flags every Event Hubs namespace that still allows public network access, automatically and continuously, across all your subscriptions and inside your own tenant. Instead of auditing namespaces one portal blade at a time, you get a standing list of the event streams still sitting at the internet edge.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.