microsoft · marrobi · Jan 6, 2025
diff --git a/config.sample.yaml b/config.sample.yaml
@@ -47,6 +47,8 @@ tre:
   # Uncomment the following to disable deployment of the Web UI.
   # deploy_ui: false
   firewall_sku: Standard
+  # The SKU of the Service Bus to use. Options are "Standard" or "Premium". For production, use Premium
+  servicebus_sku: Standard
   app_gateway_sku: Standard_v2
 
   # Uncomment to deploy to a custom domain

diff --git a/config_schema.json b/config_schema.json
@@ -89,6 +89,10 @@
           "description": "SKU of the Azure Firewall.",
           "type": "string"
         },
+        "service_bus_sku": {
+          "description": "SKU of the Service Bus.",
+          "type": "string"
+        },
         "app_gateway_sku": {
           "description": "SKU of the Application Gateway.",
           "type": "string"

diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf
@@ -2,30 +2,30 @@ resource "azurerm_servicebus_namespace" "sb" {
   name                         = "sb-${var.tre_id}"
   location                     = azurerm_resource_group.core.location
   resource_group_name          = azurerm_resource_group.core.name
-  sku                          = "Premium"
-  premium_messaging_partitions = "1"
-  capacity                     = "1"
+  sku                          = var.servicebus_sku
+  premium_messaging_partitions = var.servicebus_sku == "Premium" ? "1" : 0
+  capacity                     = var.servicebus_sku == "Premium" ? "1" : 0
   tags                         = local.tre_core_tags
 
-  # Block public access
-  # See https://docs.microsoft.com/azure/service-bus-messaging/service-bus-service-endpoints
-  network_rule_set {
-    ip_rules = var.enable_local_debugging ? [local.myip] : null
-
-    # Allows the Eventgrid to access the SB
-    trusted_services_allowed = true
-
-    # We must enable the Airlock events subnet to access the SB, as the Eventgrid topics can't send messages over PE
-    # https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints
-    default_action                = "Deny"
-    public_network_access_enabled = true
-    network_rules {
-      subnet_id                            = module.network.airlock_events_subnet_id
-      ignore_missing_vnet_service_endpoint = false
-    }
-    network_rules {
-      subnet_id                            = module.network.airlock_notification_subnet_id
-      ignore_missing_vnet_service_endpoint = false
+  # Set to true, as network rules restrict access to selected networks when using Premium Sku
+  public_network_access_enabled = true
+
+  dynamic "network_rule_set" {
+    for_each = var.servicebus_sku == "Premium" ? [1] : []
+    content {
+      ip_rules = var.enable_local_debugging ? [local.myip] : null
+
+      # Must be enabled, to allow Eventgrid to access the SB
+      trusted_services_allowed = true
+      default_action = "Deny"
+      network_rules {
+        subnet_id                            = module.network.airlock_events_subnet_id
+        ignore_missing_vnet_service_endpoint = false
+      }
+      network_rules {
+        subnet_id                            = module.network.airlock_notification_subnet_id
+        ignore_missing_vnet_service_endpoint = false
+      }
     }
   }
 
@@ -62,30 +62,33 @@ resource "azurerm_servicebus_queue" "service_bus_deployment_status_update_queue"
 
   # The returned payload might be large, especially for errors.
   # Cosmos is the final destination of the messages where 2048 is the limit.
-  max_message_size_in_kilobytes = 2048 # default=1024
+  max_message_size_in_kilobytes = var.servicebus_sku == "Premium" ? 2048 : null
 
   partitioning_enabled = false
   requires_session     = true
 }
 
 resource "azurerm_private_dns_zone" "servicebus" {
+  count               = var.servicebus_sku == "Premium" ? 1 : 0
   name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.servicebus.windows.net"]
   resource_group_name = azurerm_resource_group.core.name
   tags                = local.tre_core_tags
   lifecycle { ignore_changes = [tags] }
 }
 
 resource "azurerm_private_dns_zone_virtual_network_link" "servicebuslink" {
+  count                 = var.servicebus_sku == "Premium" ? 1 : 0
   name                  = "servicebuslink"
   resource_group_name   = azurerm_resource_group.core.name
-  private_dns_zone_name = azurerm_private_dns_zone.servicebus.name
+  private_dns_zone_name = azurerm_private_dns_zone.servicebus[0].name
   virtual_network_id    = module.network.core_vnet_id
   tags                  = local.tre_core_tags
 
   lifecycle { ignore_changes = [tags] }
 }
 
 resource "azurerm_private_endpoint" "sbpe" {
+  count               = var.servicebus_sku == "Premium" ? 1 : 0
   name                = "pe-${azurerm_servicebus_namespace.sb.name}"
   location            = azurerm_resource_group.core.location
   resource_group_name = azurerm_resource_group.core.name
@@ -96,7 +99,7 @@ resource "azurerm_private_endpoint" "sbpe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [azurerm_private_dns_zone.servicebus.id]
+    private_dns_zone_ids = [azurerm_private_dns_zone.servicebus[0].id]
   }
 
   private_service_connection {
@@ -106,7 +109,6 @@ resource "azurerm_private_endpoint" "sbpe" {
     subresource_names              = ["namespace"]
   }
 
-  # private endpoints in serial
   depends_on = [
     azurerm_private_endpoint.filepe
   ]

diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
@@ -241,3 +241,9 @@ variable "encryption_kv_name" {
   description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)"
   default     = null
 }
+
+variable "servicebus_sku" {
+  description = "The SKU for the Service Bus namespace. Possible values are 'Standard' and 'Premium'."
+  type        = string
+  default     = "Premium"
+}
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
@@ -42,9 +42,11 @@
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `SERVICEBUS_SKU` | Optional. The SKU of the Azure Service Bus instance. Default value is `Premium`. Allowed values [`Standard`, `Premium`]. Premium is recommended for production due to enhanced networking security and other features. |
 | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |
 | `ENABLE_CMK_ENCRYPTION` | If set to `true`, customer-managed key encryption will be enabled for all supported resources. |
+
 ## For authentication in `/config.yaml`
 
   | Variable | Description |