[Azure docs] Add firewall documentation for azure-eventhub based integrations

[zmoog]

A user running the Azure Logs integration reported that their Agent wasn't able to ingest any data from Microsoft Entra ID.

The agent was running behind a firewall, and they added the rules to allow the AMQP traffic on ports 5671 and 5672.

However, AMQP ports are not enough: the azure-eventhub also access the storage account container service to store checkpoint information for each event hub partition in a blob.

┌────────────────────────────────────────────┐   ┌──────────────────────┐   ┌────────────────────────┐
│                                            │   │                      │   │                        │
│ ┌────────────────┐     ┌─────────────────┐ │   │  ┌────────────────┐  │   │    ┌────────────────┐  │
│ │   diagnostic   │     │    event hub    │ │   │  │ azure-eventhub │  │   │    │ activity logs  │  │
│ │    setting     │────▶│                 │◀┼AMQP──│   <<input>>    │──┼───┼───▶│<<data stream>> │  │
│ └────────────────┘     └─────────────────┘ │   │  └────────────────┘  │   │    └────────────────┘  │
│                                            │   │           │          │   │                        │
│                                            │   │           │          │   │                        │
│                                            │   │           │          │   │                        │
│                ┌─────────────┬─────HTTPS───┼───┼───────────┘          │   │                        │
│     ┌──────────┼─────────────┼─────────┐   │   │                      │   │                        │
│     │          │             │         │   │   │                      │   │                        │
│     │          ▼             ▼         │   │   └─Agent────────────────┘   └─Elastic Cloud──────────┘
│     │    ┌──────────┐  ┌──────────┐    │   │
│     │    │    0     │  │    1     │    │   │
│     │    │ <<blob>> │  │ <<blob>> │    │   │
│     │    └──────────┘  └──────────┘    │   │
│     │                                  │   │
│     │                                  │   │
│     └─Storage Account container────────┘   │
│                                            │
│                                            │
└─Azure──────────────────────────────────────┘

We need to document the firewall setting to allow the azure-eventhub input to successfully connect to the Event Hub and Storage Account services.

### Tasks
- [ ] https://github.com/elastic/integrations/pull/9158

[zmoog]

Here are the required ports.

Event Hub (AMQP protocol):

• 5671
• 5672

The reference docs on the Microsoft side:
https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall

Storage account:

• 443

[willemdh]

That user was me. It would be nice if some error was logged in the Agent logs. We set it to debug but nothing was logged which helped me understand the issue.

[willemdh]

@zmoog URL's which need to be accessible:

*.servicebus.windows.net:5671
*.blob.core.windows.net:443

Also when you nslookup the servicebus URL, you get 3 *.cloudapp.net Url's which Also need to be allowed.

[zmoog]

That user was me. It would be nice if some error was logged in the Agent logs. We set it to debug but nothing was logged which helped me understand the issue.

During our troubleshooting session, we were able to find the error:

error starting the input worker -> github.com/Azure/azure-pipeline-go/pipeline.NewError, github.com/Azure/azure-
pipeline-go@v0.2.1/pipeline/error.go:154\nHTTP request failed\n\nGet "[https://<redacted>.blob.core.windows.net?comp=list&prefix=filebeat-signinlogs-signinlogs&timeout=61](https://<redacted>.blob.core.windows.net/?comp=list&prefix=filebeat-signinlogs-signinlogs&timeout=61)": read tcp <redacted>:48798-><redacted>:443: read: connection reset by peer\n

Ironically, the problem is the debug log level.

The Agent rotates the log files to keep the log size under control. With the "info" log level, the Agent has enough space to keep days worth of logs. However, if you enable the debug log level and some of your components are chatty, the log time windows can shrink to 30 minutes.

The Agent starts and tries to start the azure-eventhub input, but it fails due to the firewall restrictions. It logs the error, but if you don't search through the logs within the time window, you may miss the error log.

[zmoog]

@willemdh, I created PR #9158 to add the list of TCP ports to the docs. I'll double-check and test the URLs, but I want to release the port list first because we need this info right now.

Please leave a review if you have time.

[alaudazzi]

Closed as completed.