Recommendation for securing access to Azure Service Queue from multiple remote sites

Question

I'm using Azure Service Bus Queues to store and forward messages to remote installations of a client application.

My approach is to set up a queue for each remote site and configure each instance of the application with it's own queue name, for example;

mynamespace/London
mynamespace/Manchester

I'm seeking advice on how to secure the queues and the credentials in the client application. As I understand it there is a single set of credentials per namespace and therefore each instance of the client application will have the same queue connect string. Also, it appears that with the decrypted connectstring the call has permission to create / delete the queue rather then just dequeue messages - can I secure against this?

Answer 1

You should use SBAzTool to secure your Service Bus Queues. By default you probably use the "owner" service identity, but that's not optimal in terms of security. With SBAzTool you can create a new service identity (let's say 1 per remote site) and grant Listen permissions on one queue + Send permissions on an other queue (which would be perfect in a store and forward scenario).