title: Azure IoT Hub IP connection filters | Microsoft Docs description: How to use IP filtering to block connections from specific IP addresses for to your Azure IoT hub. You can block connections from individual or ranges of IP addresses. author: rezasherafat ms.service: iot-hub services: iot-hub ms.topic: conceptual ms.date: 05/23/2017 ms.author: rezas
Security is an important aspect of any IoT solution based on Azure IoT Hub. Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. The IP filter feature enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses.
There are two specific use-cases when it is useful to block the IoT Hub endpoints for certain IP addresses:
-
Your IoT hub should receive traffic only from a specified range of IP addresses and reject everything else. For example, you are using your IoT hub with Azure Express Route to create private connections between an IoT hub and your on-premises infrastructure.
-
You need to reject traffic from IP addresses that have been identified as suspicious by the IoT hub administrator.
The IP filter rules are applied at the IoT Hub service level. Therefore the IP filter rules apply to all connections from devices and back-end apps using any supported protocol.
Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. The response message does not mention the IP rule.
By default, the IP Filter grid in the portal for an IoT hub is empty. This default setting means that your hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.
When you add an IP filter rule, you are prompted for the following values:
-
An IP filter rule name that must be a unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus
{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}are accepted. -
Select a reject or accept as the action for the IP filter rule.
-
Provide a single IPv4 address or a block of IP addresses in CIDR notation. For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.
After you save the rule, you see an alert notifying you that the update is in progress.
The Add option is disabled when you reach the maximum of 10 IP filter rules.
You can edit an existing rule by double-clicking the row that contains the rule.
Note
Rejecting IP addresses can prevent other Azure Services (such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in the portal) from interacting with the IoT hub.
Warning
If you use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filtering enabled, use the Event Hub-compatible name and endpoint of your IoT Hub in the ASA connection string.
To delete an IP filter rule, select one or more rules in the grid and click Delete.
IP filter rules are applied in order and the first rule that matches the IP address determines the accept or reject action.
For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, the first rule in the grid should accept the address range 192.168.100.0/22. The next rule should reject all addresses by using the range 0.0.0.0/0.
You can change the order of your IP filter rules in the grid by clicking the three vertical dots at the start of a row and using drag and drop.
To save your new IP filter rule order, click Save.
To further explore the capabilities of IoT Hub, see: