Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0088

A SignalR or Web PubSub service with public network access enabled takes realtime connections from anywhere

The realtime channel pushing live data to your users' browsers accepts connections from any internet address. Access keys and tokens are the whole boundary, and the default is Enabled.

Footgun ID
AZF-0088 (Azure Footgun No. 88)
Azure service
Azure SignalR Service / Web PubSub
Resource type
Microsoft.SignalRService/signalR
Updated
July 9, 2026

What it is

An Azure SignalR Service or Web PubSub resource whose publicNetworkAccess is Enabled, which is also the default when the property is never set. Both services share the same property and the same trap: the endpoint that fans live messages out to your users, and takes upstream messages back in, is reachable from any network on the internet, with access keys and connection tokens as the only boundary.

Impact (security)
The realtime message plane reachable from any network, gated only by access keys and tokens
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Realtime services get treated as plumbing. The app server holds the connection string, clients negotiate tokens through it, everything works on day one, and the networking tab never gets a second look. Because SignalR and Web PubSub sit behind the application rather than in front of it, they rarely appear on the same review checklist as databases and storage, even though the same access key that lets your server negotiate clients also lets anyone holding it connect directly.

The configuration surface adds its own quirk: when public access is Enabled, the service's network ACLs still apply, but the default ACL allows the traffic, so an untouched resource is open by default. Only publicNetworkAccess: 'Disabled' shuts the public path unconditionally, regardless of what the ACLs say, and nothing in Azure nudges you toward flipping it.

What it costs / blast radius

The blast radius is the live message plane. A leaked access key, and connection strings for these services travel through app settings, CI variables, and server configs like any other, lets an outsider mint client tokens, join hubs and groups, listen to whatever your application broadcasts (notifications, dashboards, chat, presence, live business data), and push messages that your clients will trust as coming from you. Serverless upstream patterns extend that reach into whatever handles the inbound events. The direct cost is minor; the harm is eavesdropping on and injecting into your realtime traffic. (Authored assessment of Azure's behavior, not a measured statistic.)

See it

Footgun: the realtime endpoint is public (and Enabled is the default)
resource signalr 'Microsoft.SignalRService/signalR@2023-02-01' = {
  name: 'corp-signalr'
  location: location
  sku: { name: 'Standard_S1', capacity: 1 }
  properties: {
    publicNetworkAccess: 'Enabled'   // the default even if you never set it
  }
}
Fix: disable public access; the same property fixes Web PubSub too
// Identical property on Microsoft.SignalRService/webPubSub resources.
resource signalr 'Microsoft.SignalRService/signalR@2023-02-01' = {
  name: 'corp-signalr'
  location: location
  sku: { name: 'Standard_S1', capacity: 1 }
  properties: {
    publicNetworkAccess: 'Disabled'  // overrides all network ACLs; Private Link only
  }
}

How StratoLens helps

StratoLens checks every SignalR and Web PubSub resource across every subscription for a public endpoint and flags the ones still open, continuously, inside your own tenant. The realtime service wired up two years ago for a feature nobody owns anymore surfaces on the same report as everything else, so it finally gets the review it skipped.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.