[azure-eventhub] Support for AMQP-over-WebSocket transport in the processor v2 (#47956)

zmoog · web-flow · commit af5d23e75f47 · 2025-12-17T00:03:41.000Z
Support for AMQP-over-WebSocket transport in the azure-eventhub processor v2.

Enterprise users often need to comply with network restrictions, which means using AMQP may not be an option.

In addition to AMQP-over-WebSocket support, this change allows users to run the azure-eventhub input behind an HTTPS proxy.
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -8162,6 +8162,29 @@ Contents of probable licence file $GOMODCACHE/github.com/cloudfoundry/sonde-go@v
    END OF TERMS AND CONDITIONS
 
 
+--------------------------------------------------------------------------------
+Dependency : github.com/coder/websocket
+Version: v1.8.14
+Licence type (autodetected): ISC
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/github.com/coder/websocket@v1.8.14/LICENSE.txt:
+
+Copyright (c) 2025 Coder
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
 --------------------------------------------------------------------------------
 Dependency : github.com/containerd/fifo
 Version: v1.1.0
@@ -36851,11 +36874,11 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go
 
 --------------------------------------------------------------------------------
 Dependency : github.com/Azure/go-amqp
-Version: v1.3.0
+Version: v1.4.0
 Licence type (autodetected): MIT
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v1.3.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/!azure/go-amqp@v1.4.0/LICENSE:
 
     MIT License
 
@@ -45264,29 +45287,6 @@ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
---------------------------------------------------------------------------------
-Dependency : github.com/coder/websocket
-Version: v1.8.12
-Licence type (autodetected): ISC
---------------------------------------------------------------------------------
-
-Contents of probable licence file $GOMODCACHE/github.com/coder/websocket@v1.8.12/LICENSE.txt:
-
-Copyright (c) 2023 Anmol Sethi <hi@nhooyr.io>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 --------------------------------------------------------------------------------
 Dependency : github.com/containerd/containerd/v2
 Version: v2.1.0
diff --git a/changelog/fragments/1765280088-azure-eventhub-v2-add-support-for-amqp-over-websocket-and-https-proxy.yaml b/changelog/fragments/1765280088-azure-eventhub-v2-add-support-for-amqp-over-websocket-and-https-proxy.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: azure-eventhub-v2-add-support-for-amqp-over-websocket-and-https-proxy
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: filebeat
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/beats/pull/47956
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/beats/issues/47823
diff --git a/go.mod b/go.mod
@@ -233,6 +233,7 @@ require (
 require (
 	github.com/apache/arrow-go/v18 v18.4.1
 	github.com/cilium/ebpf v0.19.0
+	github.com/coder/websocket v1.8.14
 	github.com/elastic/gokrb5/v8 v8.0.0-20251105095404-23cc45e6a102
 	github.com/forensicanalysis/fslib v0.15.2
 	github.com/mattn/go-sqlite3 v1.14.32
@@ -280,7 +281,7 @@ require (
 	github.com/Azure/azure-amqp-common-go/v4 v4.2.0 // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
-	github.com/Azure/go-amqp v1.3.0 // indirect
+	github.com/Azure/go-amqp v1.4.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
diff --git a/go.sum b/go.sum
@@ -94,8 +94,8 @@ github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.0 h1:UXT0o77lXQrikd1kg
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.0/go.mod h1:cTvi54pg19DoT07ekoeMgE/taAwNtCShVeZqA+Iv2xI=
 github.com/Azure/azure-storage-blob-go v0.15.0 h1:rXtgp8tN1p29GvpGgfJetavIG0V7OgcSXPpwp3tx6qk=
 github.com/Azure/azure-storage-blob-go v0.15.0/go.mod h1:vbjsVbX0dlxnRc4FFMPsS9BsJWPcne7GB7onqlPvz58=
-github.com/Azure/go-amqp v1.3.0 h1://1rikYhoIQNXJFXyoO/Rlb4+4EkHYfJceNtLlys2/4=
-github.com/Azure/go-amqp v1.3.0/go.mod h1:vZAogwdrkbyK3Mla8m/CxSc/aKdnTZ4IbPxl51Y5WZE=
+github.com/Azure/go-amqp v1.4.0 h1:Xj3caqi4comOF/L1Uc5iuBxR/pB6KumejC01YQOqOR4=
+github.com/Azure/go-amqp v1.4.0/go.mod h1:vZAogwdrkbyK3Mla8m/CxSc/aKdnTZ4IbPxl51Y5WZE=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
@@ -291,8 +291,8 @@ github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
+github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/containerd/containerd/v2 v2.1.0 h1:lS6iJ/CwZrxYxKd6zWBz5LR7xOlMVQC78z68YtizUAM=
 github.com/containerd/containerd/v2 v2.1.0/go.mod h1:t2VqM0zSiEdi33qgtsMwUKrYyVg4oq2FPe+cs3LBt7w=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
diff --git a/x-pack/filebeat/input/azureeventhub/auth.go b/x-pack/filebeat/input/azureeventhub/auth.go
@@ -44,6 +44,23 @@ func createCredential(cfg *azureInputConfig, log *logp.Logger) (azcore.TokenCred
 // CreateEventHubConsumerClient creates an Event Hub consumer client
 // using the configured authentication method from the provided config.
 func CreateEventHubConsumerClient(cfg *azureInputConfig, log *logp.Logger) (*azeventhubs.ConsumerClient, error) {
+	// Create the consumer client options
+	options := azeventhubs.ConsumerClientOptions{}
+
+	// Set up the transport
+	switch cfg.Transport {
+	case transportWebsocket:
+		// Enable WebSocket transport if configured.
+		// This allows connectivity through HTTP proxies and firewalls
+		// that block AMQP port 5671 but allow HTTPS on port 443.
+		log.Infow("using AMQP-over-WebSocket transport for Event Hub connection")
+		options.NewWebSocketConn = newWebSocketConn
+	default:
+		// Default transport, nothing to do.
+		log.Infow("using AMQP transport for Event Hub connection")
+	}
+
+	// Set up the consumer client based on the authentication type
 	switch cfg.AuthType {
 	case AuthTypeConnectionString:
 		// Use connection string authentication for Event Hub
@@ -79,7 +96,7 @@ func CreateEventHubConsumerClient(cfg *azureInputConfig, log *logp.Logger) (*aze
 			cfg.ConnectionString,
 			eventHubName,
 			cfg.ConsumerGroup,
-			nil,
+			&options,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create consumer client from connection string: %w", err)
@@ -100,7 +117,7 @@ func CreateEventHubConsumerClient(cfg *azureInputConfig, log *logp.Logger) (*aze
 			cfg.EventHubName,
 			cfg.ConsumerGroup,
 			credential,
-			nil,
+			&options,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create consumer client with credential: %w", err)
diff --git a/x-pack/filebeat/input/azureeventhub/config.go b/x-pack/filebeat/input/azureeventhub/config.go
@@ -125,6 +125,10 @@ type azureInputConfig struct {
 	// for at least `PartitionReceiveCount` events, then it returns
 	// the events it has received.
 	PartitionReceiveCount int `config:"partition_receive_count"`
+	// Transport controls the transport type to use for the event hub connection.
+	// Possible values are "amqp" (default) and "websocket".
+	// Use "websocket" when connecting through HTTP proxies or when port 5671 is blocked.
+	Transport string `config:"transport"`
 }
 
 func defaultConfig() azureInputConfig {
@@ -147,6 +151,8 @@ func defaultConfig() azureInputConfig {
 		// Default is true to avoid reprocessing data from the start of the retention
 		// when v2 replaces v1.
 		MigrateCheckpoint: true,
+		// Default transport is AMQP for backward compatibility.
+		Transport: transportAmqp,
 	}
 }
 
@@ -159,6 +165,11 @@ func (conf *azureInputConfig) Validate() error {
 		conf.AuthType = AuthTypeConnectionString
 	}
 
+	// Validate event hub transport option
+	if err := conf.validateEventHubTransport(); err != nil {
+		return err
+	}
+
 	// Validate the processor version first to ensure it's valid
 	if err := conf.validateProcessorVersion(); err != nil {
 		return err
@@ -192,6 +203,20 @@ func (conf *azureInputConfig) Validate() error {
 	return nil
 }
 
+// validateEventHubTransport validates the event hub transport option.
+func (conf *azureInputConfig) validateEventHubTransport() error {
+	// Validate transport option
+	if conf.Transport != transportAmqp && conf.Transport != transportWebsocket {
+		return fmt.Errorf(
+			"invalid event hub transport: %s (available transports: %s, %s)",
+			conf.Transport,
+			transportAmqp,
+			transportWebsocket,
+		)
+	}
+	return nil
+}
+
 // validateProcessorVersion validates that the processor version is valid.
 func (conf *azureInputConfig) validateProcessorVersion() error {
 	if conf.ProcessorVersion != processorV1 && conf.ProcessorVersion != processorV2 {
diff --git a/x-pack/filebeat/input/azureeventhub/v2_input.go b/x-pack/filebeat/input/azureeventhub/v2_input.go
@@ -10,9 +10,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"strings"
 	"time"
 
+	"github.com/coder/websocket"
+
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs"
@@ -43,6 +46,10 @@ const (
 	// processorRestartMaxBackoff is the maximum backoff time before
 	// restarting the processor.
 	processorRestartMaxBackoff = 120 * time.Second
+	// AMQP transport for Event Hub connection.
+	transportAmqp = "amqp"
+	// WebSocket transport for Event Hub connection.
+	transportWebsocket = "websocket"
 )
 
 // azureInputConfig the Azure Event Hub input v2,
@@ -619,3 +626,26 @@ func shutdownPartitionResources(ctx context.Context, partitionClient *azeventhub
 	// processing events for this partition.
 	defer pipelineClient.Close()
 }
+
+// newWebSocketConn creates a WebSocket connection for AMQP-over-WebSocket transport.
+//
+// This function is used when the transport configuration is set to "websocket".
+// It enables connectivity through HTTP proxies and firewalls that block the
+// standard AMQP port (5671) but allow HTTPS traffic on port 443.
+//
+// HTTP proxy configuration is automatically detected from environment variables:
+// - HTTP_PROXY / http_proxy
+// - HTTPS_PROXY / https_proxy
+// - NO_PROXY / no_proxy
+func newWebSocketConn(ctx context.Context, args azeventhubs.WebSocketConnParams) (net.Conn, error) {
+	opts := &websocket.DialOptions{
+		Subprotocols: []string{"amqp"},
+	}
+
+	wssConn, _, err := websocket.Dial(ctx, args.Host, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	return websocket.NetConn(ctx, wssConn, websocket.MessageBinary), nil
+}
