Table: azure_servicebus_namespace - Query Azure Service Bus Namespaces using SQL
Azure Service Bus is a fully managed enterprise integration message broker. Service Bus can decouple applications and services. Service Bus offers secure and reliable message delivery.
Table Usage Guide
The azure_servicebus_namespace table provides insights into namespaces within Azure Service Bus. As a DevOps engineer, explore namespace-specific details through this table, including active message count, scheduled message count, and transfer message count. Utilize it to uncover information about namespaces, such as their status, SKU, and properties.
Examples
Basic info
Explore the status and tier level of your Azure Service Bus namespaces to assess their setup and monitor their creation time. This helps in managing resources and understanding their distribution across different tiers.
select name, id, sku_tier, provisioning_state, created_atfrom azure_servicebus_namespace;select name, id, sku_tier, provisioning_state, created_atfrom azure_servicebus_namespace;List premium namespaces
Analyze the settings to understand the distribution of premium-tier service bus namespaces across different regions in your Azure environment. This can help optimize resource allocation and cost management.
select name, sku_tier, regionfrom azure_servicebus_namespacewhere sku_tier = 'Premium';select name, sku_tier, regionfrom azure_servicebus_namespacewhere sku_tier = 'Premium';List unencrypted namespaces
Analyze the settings to understand the premium Azure Service Bus namespaces that lack encryption. This can be useful for identifying potential security risks and ensuring data protection standards are met.
select name, sku_tier, encryptionfrom azure_servicebus_namespacewhere sku_tier = 'Premium' and encryption is null;select name, sku_tier, encryptionfrom azure_servicebus_namespacewhere sku_tier = 'Premium' and encryption is null;List namespaces not using a virtual network service endpoint
Determine the areas in your Azure service bus setup where premium tier namespaces are not utilizing a virtual network service endpoint. This can be useful to improve security by ensuring all communication within your service bus happens over your virtual network.
select name, region, network_rule_set -> 'properties' -> 'virtualNetworkRules' as virtual_network_rulesfrom azure_servicebus_namespacewhere sku_tier = 'Premium' and ( jsonb_array_length( network_rule_set -> 'properties' -> 'virtualNetworkRules' ) = 0 or exists ( select * from jsonb_array_elements( network_rule_set -> 'properties' -> 'virtualNetworkRules' ) as t where t -> 'subnet' ->> 'id' is null ) );select name, region, json_extract( network_rule_set, '$.properties.virtualNetworkRules' ) as virtual_network_rulesfrom azure_servicebus_namespacewhere sku_tier = 'Premium' and ( json_array_length( json_extract( network_rule_set, '$.properties.virtualNetworkRules' ) ) = 0 or exists ( select 1 from json_each( json_extract( network_rule_set, '$.properties.virtualNetworkRules' ) ) as t where json_extract(t.value, '$.subnet.id') is null ) );List private endpoint connection details
Explore the details of private endpoint connections in Azure Service Bus Namespace to understand their provisioning state and connection types. This is useful for assessing the security and configuration of your cloud resources.
select name, id, connections ->> 'id' as connection_id, connections ->> 'name' as connection_name, connections ->> 'privateEndpointPropertyID' as property_private_endpoint_id, connections ->> 'provisioningState' as property_provisioning_state, jsonb_pretty(connections -> 'privateLinkServiceConnectionState') as property_private_link_service_connection_state, connections ->> 'type' as connection_typefrom azure_servicebus_namespace, jsonb_array_elements(private_endpoint_connections) as connections;select name, n.id, json_extract(connections.value, '$.id') as connection_id, json_extract(connections.value, '$.name') as connection_name, json_extract(connections.value, '$.privateEndpointPropertyID') as property_private_endpoint_id, json_extract(connections.value, '$.provisioningState') as property_provisioning_state, connections.value as property_private_link_service_connection_state, json_extract(connections.value, '$.type') as connection_typefrom azure_servicebus_namespace as n, json_each(private_endpoint_connections) as connections;List encryption details
Determine the encryption specifications of your Azure Service Bus namespaces. This can provide insights into your security configurations, helping you understand if your data is properly secured and whether infrastructure encryption is required.
select name, id, encryption ->> 'keySource' as key_source, jsonb_pretty(encryption -> 'keyVaultProperties') as key_vault_properties, encryption -> 'requireInfrastructureEncryption' as require_infrastructure_encryptionfrom azure_servicebus_namespace;select name, id, json_extract(encryption, '$.keySource') as key_source, encryption as key_vault_properties, json_extract(encryption, '$.requireInfrastructureEncryption') as require_infrastructure_encryptionfrom azure_servicebus_namespace;Get authorization rules of namespaces
An Azure Service Bus Authorization Rule is a security feature that defines the set of permissions assigned to a user or application for accessing and performing operations within a Service Bus namespace or on specific entities like queues, topics, and subscriptions. These rules manage who can send, receive, and manage messages. They play a crucial role in controlling access and ensuring secure operations within the Azure Service Bus environment. Each rule can grant different levels of access, ranging from listening to messages, sending messages, or managing the entity.
select name, r ->> 'name' as rule_name, r ->> 'id' as rule_id, r ->> 'type' as rule_type, r ->> 'properties' as rule_propertiesfrom azure_servicebus_namespace as n, jsonb_array_elements(authorization_rules) as r;select name, json_extract(r.value, '$.name') as rule_name, json_extract(r.value, '$.id') as rule_id, json_extract(r.value, '$.type') as rule_type, json_extract(r.value, '$.properties') as rule_propertiesfrom azure_servicebus_namespace as n, json_each(n.authorization_rules) as r;Control examples
- All Controls > Service Bus > Service bus namespace should be configured with Azure Active Directory (Azure AD) authentication
- All Controls > Service Bus > Service bus namespace should not be configured with overly permissive network access
- All Controls > Service Bus > Service Bus should use virtual service endpoint
- Azure Service Bus namespaces should use private link
- Resource logs in Service Bus should be enabled
- Service Bus Premium namespaces should use a customer-managed key for encryption
Schema for azure_servicebus_namespace
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| authorization_rules | jsonb | The authorization rules for a namespace. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| created_at | timestamp with time zone | The time the namespace was created. | |
| diagnostic_settings | jsonb | A list of active diagnostic settings for the servicebus namespace. | |
| disable_local_auth | boolean | This property disables SAS authentication for the Service Bus namespace. | |
| encryption | jsonb | Specifies the properties of BYOK encryption configuration. Customer-managed key encryption at rest (Bring Your Own Key) is only available on Premium namespaces. | |
| id | text | The unique id identifying the resource in subscription. | |
| metric_id | text | The identifier for Azure insights metrics. | |
| name | text | = | The name of the resource. |
| network_rule_set | jsonb | Describes the network rule set for specified namespace. The ServiceBus Namespace must be Premium in order to attach a ServiceBus Namespace Network Rule Set. | |
| private_endpoint_connections | jsonb | The private endpoint connections of the namespace. | |
| provisioning_state | text | The provisioning state of the namespace. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| servicebus_endpoint | text | Specifies the endpoint used to perform Service Bus operations. | |
| sku_capacity | bigint | The specified messaging units for the tier. For Premium tier, capacity are 1,2 and 4. | |
| sku_name | text | Name of this SKU. Valid valuer are: 'Basic', 'Standard', 'Premium'. | |
| sku_tier | text | The billing tier of this particular SKU. Valid values are: 'Basic', 'Standard', 'Premium'. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| status | text | Status of the namespace. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | The type of the resource. | |
| updated_at | timestamp with time zone | The time the namespace was updated. | |
| zone_redundant | boolean | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_servicebus_namespace