Contacts: Daniel Evans, CK Kashyap, Mark Franco
Goal
Host a bot behind a firewall and allow conversations with the bot using Teams. The implication of “bot behind a firewall” is that the network connectivity to/from the bot is restricted to only the necessary machines (IP addresses).
The reference network architecture below illustrates how a Bot may be run inside a Virtual Network(VNET) that allows traffic only to and from a set of IP addresses that belong to Microsoft Teams and Azure Bot Service(ABS). The egress traffic restrictions are set by the networking rules in the firewall and the ingress traffic restrictions are set using the Network Security Group (NSG) rules of the App GW.
Restricting Egress
Instructions to setup the ASE such that the egress traffic is routed through the firewall is here. Set the firewall to restrict traffic only to Teams and ABS by adding the following rules in a Network Rule Collection (Rules -> Network Rule Collection)
- IP Address rule – allow traffic from the subnet of the ASE to 52.112.0.0/14
- FQDN rule – allow traffic from the subnet of the ASE to login.microsoftonline.com
- FQDN rule – allow traffic from the subnet of the ASE to login.botframework.com
Restricting Ingress
Restrict the ingress traffic to Teams by adding an inbound security rule to the NSG associated with the subnet of the App Gateway. As shown in the snapshot below, the inbound traffic from only 52.112.0.0/14 to the subnet of the ASE is allowed.