- 0 minutes to read

AMQP Ports 5671 and 5672 Configuration for Azure

This guide consolidates configuration requirements for AMQP ports 5671 and 5672 across Azure Service Bus and Azure Event Hub scenarios. Both services use the same AMQP protocol and port numbers for secure message communication.

Understanding AMQP: Alternative to HTTPS

What is AMQP?

AMQP (Advanced Message Queuing Protocol) is a binary, standards-based messaging protocol optimized for reliable message transmission. While Azure Service Bus and Event Hub support both HTTPS (port 443) and AMQP (ports 5671, 5672), AMQP offers:

  • Lower Latency - Binary protocol reduces overhead compared to HTTP/REST
  • Connection Reuse - Single persistent connection for multiple operations
  • Reduced Bandwidth - Smaller message envelopes than JSON/REST
  • Better Throughput - Optimized for high-volume scenarios

Port Numbering Convention

Port Protocol Use Case Security
5671 Secure AMQP Production connections requiring TLS encryption TLS 1.2+
5672 AMQP Legacy/unencrypted AMQP (rarely used in cloud) No encryption

Best Practice: Always use port 5671 (secure AMQP with TLS). Port 5672 without encryption is uncommon in Azure scenarios.

Azure Service Bus - AMQP Configuration

Azure Service Bus supports AMQP for queue, topic, and relay communication. This is the primary integration point for Nodinite Message Queueing Monitoring Agents.

Firewall Requirements

Outbound Rules (from Monitoring Agent to Azure)

Direction Source Destination Protocol Port(s) Purpose Security
Outbound Agent Server *.servicebus.windows.net TCP 5671, 5672 Secure AMQP connection to Service Bus TLS 1.2+
Outbound Agent Server *.servicebus.windows.net TCP 443 Initial authentication & control plane HTTPS/TLS

Inbound Rules (from Azure to Monitoring Agent)

Direction Source Destination Protocol Port(s) Purpose Notes
Inbound *.servicebus.windows.net Agent Server TCP 443, 5671, 5672 Response traffic Automatically allowed by stateful firewall inspection

Azure-Side Note: No inbound firewall configuration required on Azure Service Bus. The service is cloud-hosted and manages its own ingress filtering.

PowerShell Connectivity Testing

Test connectivity from your Monitoring Agent server to Azure Service Bus using PowerShell's Test-NetConnection cmdlet:

# Replace [service-bus-name] with your actual Service Bus namespace
$ServiceBusName = "[service-bus-name]"

# Test port 5671 (Secure AMQP)
Test-NetConnection -ComputerName "$ServiceBusName.servicebus.windows.net" -Port 5671 -InformationLevel Detailed

# Test port 5672 (AMQP - legacy)
Test-NetConnection -ComputerName "$ServiceBusName.servicebus.windows.net" -Port 5672 -InformationLevel Detailed

# Test port 443 (HTTPS - control plane)
Test-NetConnection -ComputerName "$ServiceBusName.servicebus.windows.net" -Port 443 -InformationLevel Detailed

Expected Output (Success):

ComputerName     : [service-bus-name].servicebus.windows.net
RemotePort       : 5671
TcpTestSucceeded : True

Expected Output (Failure):

ComputerName     : [service-bus-name].servicebus.windows.net
RemotePort       : 5671
TcpTestSucceeded : False

Interpreting Test Results

Result Meaning Common Cause Resolution
TcpTestSucceeded : True ✅ Connection successful Firewall rule permits traffic Proceed with agent configuration
TcpTestSucceeded : False ❌ Connection blocked Firewall blocks AMQP ports Add outbound firewall rule for ports 5671/5672 to *.servicebus.windows.net
TcpTestSucceeded : False (immediate) ❌ Connection refused DNS resolution failed or destination unreachable Verify Service Bus namespace name; verify internet connectivity
TcpTestSucceeded : False (after timeout) ❌ Connection timeout Firewall dropping packets silently Check corporate proxy/firewall rules; verify HTTPS port 443 is open for control plane

Authentication Requirements

Nodinite Monitoring Agents connecting via AMQP to Azure Service Bus require:

  • Microsoft Entra ID (Azure AD) Application Registration with:

    • Application ID (Client ID)
    • Tenant ID
    • Client Secret or Certificate Credential

  • Role Assignment on the Service Bus Namespace:

    • Azure Service Bus Data Owner - for sending/receiving messages
    • Reader - on the parent Subscription (for resource discovery)

For detailed Entra ID authentication setup, see Authenticate and authorize an application with Microsoft Entra ID to access Azure Service Bus entities.

Azure Event Hub - AMQP Configuration

Azure Event Hubs use AMQP for log ingestion in Nodinite Azure Logic Apps scenarios. When you configure Azure Logic Apps diagnostic logs to send to Event Hub, the Monitoring Agent connects via AMQP.

Firewall Requirements

Outbound Rules (from Monitoring Agent to Azure)

Direction Source Destination Protocol Port(s) Purpose Security
Outbound Agent Server *.servicebus.windows.net TCP 5671, 5672 Secure AMQP to Event Hub TLS 1.2+
Outbound Agent Server *.servicebus.windows.net TCP 443 Control plane (authentication, discovery) HTTPS/TLS

Note: Event Hubs are hosted within the Azure Service Bus infrastructure (*.servicebus.windows.net), so firewall rules are identical to Service Bus.

PowerShell Connectivity Testing

Test connectivity to an Event Hub using the same pattern as Service Bus:

# For Event Hub in namespace [event-hub-namespace]
$EventHubNamespace = "[event-hub-namespace]"

# Test port 5671 (Secure AMQP)
Test-NetConnection -ComputerName "$EventHubNamespace.servicebus.windows.net" -Port 5671 -InformationLevel Detailed

# Test port 443 (HTTPS - control plane)
Test-NetConnection -ComputerName "$EventHubNamespace.servicebus.windows.net" -Port 443 -InformationLevel Detailed

When Event Hubs Use AMQP

Event Hubs use AMQP when:

  • Consuming log streams from Azure Logic Apps diagnostic endpoints
  • High-throughput scenarios requiring persistent connections
  • Custom event processors reading from Event Hub consumer groups

Firewall Configuration Examples

Example 1: Corporate Firewall (Windows Firewall on Agent Server)

Allow outbound AMQP traffic to Azure Service Bus:

# Add outbound firewall rule for AMQP ports
New-NetFirewallRule -DisplayName "Allow AMQP to Azure Service Bus" `
  -Direction Outbound `
  -Action Allow `
  -Protocol TCP `
  -RemotePort 5671,5672 `
  -RemoteAddress "*" `
  -Description "Allow Monitoring Agent to reach Azure Service Bus via AMQP"

# Verify rule was created
Get-NetFirewallRule -DisplayName "Allow AMQP to Azure Service Bus"

Example 2: Network Firewall (Palo Alto, Checkpoint, Fortinet)

Create outbound security rules:

Rule Name: Allow-AMQP-to-Azure-ServiceBus
Action: Allow
Source: [Agent Server Subnet]
Destination: *.servicebus.windows.net
Service: TCP 5671, 5672
Logging: Enabled
Description: AMQP traffic for Azure Service Bus Monitoring

Example 3: Azure Network Security Group (NSG)

Configure NSG on the agent's subnet (if agent is in Azure):

# Create NSG rule for outbound AMQP
$nsgRule = New-AzNetworkSecurityRuleConfig `
  -Name "AllowAMQPToServiceBus" `
  -Protocol Tcp `
  -SourcePortRange "*" `
  -DestinationPortRange "5671,5672" `
  -SourceAddressPrefix "*" `
  -DestinationAddressPrefix "*" `
  -Access Allow `
  -Priority 100 `
  -Direction Outbound

# Add rule to NSG
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName "rg-name" -Name "nsg-name"
$nsg | Add-AzNetworkSecurityRuleConfig @nsgRule | Set-AzNetworkSecurityGroup

Troubleshooting AMQP Connectivity Issues

Symptom: "Connection Refused" on Port 5671/5672

Likely Causes:

  • Firewall rule not applied or syntax error
  • NSG rule blocking traffic
  • Corporate proxy intercepting connections
  • Antivirus software blocking AMQP protocol

Resolution:

  1. Verify firewall rule created successfully: Get-NetFirewallRule -DisplayName "Allow AMQP to Azure Service Bus"
  2. Test from command line: Test-NetConnection -ComputerName [service-bus-name].servicebus.windows.net -Port 5671 -Verbose
  3. Review firewall logs for blocked connections
  4. Consult network team if behind corporate proxy
  5. Verify antivirus/EDR software isn't blocking connections

Symptom: "Connection Timeout" After Initial Connection

Likely Causes:

  • Firewall rule only allows port 443 (HTTPS), not AMQP ports
  • Network path asymmetry (outbound allowed, inbound blocked)
  • Azure Service Bus namespace not found or misconfigured

Resolution:

  1. Verify both ports 5671 AND 5672 are allowed in firewall
  2. Ensure return traffic on same ports is allowed (stateful firewall inspection)
  3. Verify Service Bus namespace name is correct: Test-NetConnection -ComputerName [namespace].servicebus.windows.net -Port 443

Symptom: "Authentication Failed" on Successful Connection

Likely Causes:

  • Application registration doesn't have Azure Service Bus Data Owner role
  • Entra ID application credentials expired
  • Tenant ID or Client ID misconfigured in agent settings

Resolution:

  1. Verify role assignment: Get-AzRoleAssignment -ObjectId [application-object-id] -Scope /subscriptions/[subscription-id]/resourceGroups/[rg]/providers/Microsoft.ServiceBus/namespaces/[namespace]
  2. Verify application credentials in agent configuration match Entra ID registration
  3. Test Entra ID authentication independently if available

AMQP vs HTTPS: When to Use Each

Scenario AMQP (5671/5672) HTTPS (443) Recommendation
Continuous monitoring (24/7) ✅ Better ⚠️ More polling Use AMQP
High message throughput (1000+/min) ✅ Optimized ⚠️ Limited by REST Use AMQP
Firewall allows only 443 ❌ No ✅ Yes Use HTTPS
Intermittent queries ✅ Works ✅ Works Either is fine
Legacy system compatibility ❌ No ✅ Universal Use HTTPS
Lowest latency required ✅ Better ⚠️ Adds overhead Use AMQP

Default Recommendation: Configure both ports (443 + 5671/5672) to allow failover and optimal performance. Agent will use AMQP when available, fall back to HTTPS if needed.

Azure Service Bus FAQ Reference

For additional Azure Service Bus networking details, see Microsoft Learn - Azure Service Bus FAQ.

Next Step

After confirming AMQP port connectivity: