Bots Secured Behind a Firewall & Teams 

Contacts: Daniel Evans, CK Kashyap, Mark Franco

Goal 

Host bot behind a firewall and allow conversations with the bot using TeamsThe implication of “bot behind a firewall” is that the network connectivity to/from the bot is restricted to only the necessary machines (IP addresses). 

The reference network architecture below illustrates how a Bot may be run inside a Virtual Network(VNET) that allows traffic only to and from a set of IP addresses that belong to Microsoft Teams and Azure Bot Service(ABS). The egress traffic restrictions are set by the networking rules in the firewall and the ingress traffic restrictions are set using the Network Security Group (NSG) rules of the App GW  

VNET

Restricting Egress

Instructions to setup the ASE such that the egress traffic is routed through the firewall is hereSet the firewall to restrict traffic only to Teams and ABS by adding the following rules in a Network Rule Collection (Rules -> Network Rule Collection) 

  1. IP Address rule – allow traffic from the subnet of the ASE to 52.112.0.0/14 
  2. FQDN rule – allow traffic from the subnet of the ASE to login.microsoftonline.com 
  3. FQDN rule – allow traffic from the subnet of the ASE  to login.botframework.com 

Restrict egress rules

Restricting Ingress 

Restrict the ingress traffic to Teams by adding an inbound security rule to the NSG associated with the subnet of the App Gateway. As shown in the snapshot below, the inbound traffic from only 52.112.0.0/14 to the subnet of the ASE is allowed. 

Restrict ingress rules