Service Bus Premium Features

The Azure Service Bus Premium tier provides dedicated, isolated resources for enterprise-grade messaging workloads. Unlike the shared infrastructure of the Standard tier, Premium allocates dedicated memory and CPU through Messaging Units (MUs). This results in predictable performance, higher throughput, and access to advanced features unavailable in lower tiers — including large message support, virtual network integration, private endpoints, and customer-managed encryption keys.

Premium vs Standard — Feature Comparison

1. Messaging Units (MUs)

Messaging Units are the compute and memory allocation for a Premium namespace. Each MU provides a fixed amount of resources. More MUs give higher throughput and lower latency at peak load.

Create a Premium Namespace with 2 Messaging Units

az servicebus namespace create   --resource-group rg-messaging-prod   --name myshopns-premium   --location eastus   --sku Premium   --capacity 2

Scale Messaging Units (No Downtime)

az servicebus namespace update   --resource-group rg-messaging-prod   --name myshopns-premium   --capacity 4

Scale-Up (traffic spike approaching):
  1 MU  --> 4 MU  (scale up before peak load)

Scale-Down (off-peak hours):
  4 MU  --> 1 MU  (reduce cost overnight or on weekends)

No downtime. No message loss during scaling.

2. Large Message Support (Up to 100 MB)

Standard tier limits messages to 256 KB. Premium tier supports messages up to 100 MB. This is useful for systems that send large payloads such as medical images, PDF reports, serialized ML model updates, or large JSON datasets.

Enable Large Message Support

# Large message support requires Premium namespace
# Set max message size when creating the queue or topic

az servicebus queue create   --resource-group rg-messaging-prod   --namespace-name myshopns-premium   --name large-payload-queue   --max-message-size-in-kilobytes 102400   # 100 MB

Sending a Large Message in .NET

// Premium namespace — supports up to 100 MB body
byte[] largePayload = File.ReadAllBytes("report.pdf");

var message = new ServiceBusMessage(BinaryData.FromBytes(largePayload))
{
    MessageId   = "report-2024-Q4",
    ContentType = "application/pdf",
    Subject     = "QuarterlyReport"
};

await sender.SendMessageAsync(message);
Console.WriteLine($"Large message sent: {largePayload.Length / 1024} KB");

Large Message Size Options

3. Virtual Network Integration

Premium namespaces support Virtual Network (VNet) service endpoints and private endpoints. This restricts access to the namespace so that only resources inside a specific Azure VNet can connect — preventing public internet access entirely.

Add a VNet Rule via CLI

# Get the subnet resource ID
SUBNET_ID=$(az network vnet subnet show   --resource-group rg-network   --vnet-name my-vnet   --name app-subnet   --query id --output tsv)

# Add VNet rule to Service Bus namespace
az servicebus namespace network-rule add   --resource-group rg-messaging-prod   --namespace-name myshopns-premium   --subnet $SUBNET_ID   --enable-trusted-services-bypass true

VNet Integration Architecture

Internet
  |
  X  (blocked — no public access)

Azure VNet (my-vnet)
  |
  |-- Subnet: app-subnet
  |       |-- App Service / AKS / VM
  |               |-- connects to Service Bus namespace via private path
  |
  |-- Service Bus Namespace: myshopns-premium
          (only accessible from app-subnet)

4. Private Endpoints

A Private Endpoint creates a private IP address inside a VNet that maps directly to the Service Bus namespace. All traffic goes through Azure's private backbone — no public DNS, no public IP involved.

# Create a private endpoint for the Service Bus namespace
az network private-endpoint create   --resource-group rg-messaging-prod   --name pe-servicebus   --vnet-name my-vnet   --subnet private-endpoints-subnet   --private-connection-resource-id /subscriptions/<sub>/resourceGroups/rg-messaging-prod/providers/Microsoft.ServiceBus/namespaces/myshopns-premium   --group-id namespace   --connection-name pe-conn-servicebus

Without Private Endpoint:
  App --> public DNS --> public IP --> Service Bus namespace

With Private Endpoint:
  App --> private IP (10.0.1.5) --> Azure backbone --> Service Bus namespace
  (no public internet involved)

5. Availability Zones

Premium namespaces in supported regions automatically replicate data across three Availability Zones (AZs) within the same Azure region. If one zone fails, messages remain available from the other zones with no manual intervention.

Azure Region: East US
  |
  |-- Availability Zone 1: Service Bus replica A
  |-- Availability Zone 2: Service Bus replica B
  |-- Availability Zone 3: Service Bus replica C

If Zone 1 fails:
  Traffic automatically served from Zone 2 and Zone 3.
  No message loss. No manual failover needed.

Enable Availability Zones (Portal)

Availability Zones are enabled automatically when creating a Premium namespace in a supported region. Check the Zone redundancy checkbox during namespace creation. Zone redundancy cannot be added after creation.

6. Customer-Managed Encryption Keys (CMK)

By default, Service Bus encrypts data at rest using Microsoft-managed keys. Premium namespaces support Customer-Managed Keys (CMK) stored in Azure Key Vault. This gives full control over the encryption keys, including key rotation and revocation.

# Assign Key Vault Crypto User role to the namespace's Managed Identity
az role assignment create   --assignee <namespace-managed-identity-id>   --role "Key Vault Crypto User"   --scope /subscriptions/<sub>/resourceGroups/rg-keyvault/providers/Microsoft.KeyVault/vaults/my-keyvault

# Configure CMK on the namespace
az servicebus namespace update   --resource-group rg-messaging-prod   --name myshopns-premium   --encryption keySource="Microsoft.KeyVault"   --key-name myEncryptionKey   --key-vault-uri https://my-keyvault.vault.azure.net/

7. Disabling Public Network Access

# Restrict to private endpoints only — block all public internet access
az servicebus namespace update   --resource-group rg-messaging-prod   --name myshopns-premium   --public-network-access Disabled

# Also disable local SAS authentication — force Azure AD only
az servicebus namespace update   --resource-group rg-messaging-prod   --name myshopns-premium   --disable-local-auth true

Premium Namespace — Full Security Architecture

+----------------------------------------------------------+
|  Premium Namespace: myshopns-premium                     |
|                                                          |
|  [Queue: orders]  [Topic: order-events]                  |
|                                                          |
|  Security:                                               |
|    - Public Access: DISABLED                             |
|    - Local (SAS) Auth: DISABLED                          |
|    - Private Endpoint: ENABLED (10.0.1.5)               |
|    - VNet Rules: app-subnet only                         |
|    - Encryption: Customer-Managed Key (Azure Key Vault)  |
|    - Availability Zones: Zone 1, 2, 3 (replicated)      |
|                                                          |
|  Performance:                                            |
|    - Messaging Units: 4 MU                               |
|    - Max Message Size: 100 MB                            |
+----------------------------------------------------------+

When to Choose Premium

Summary

Azure Service Bus Premium provides dedicated compute through Messaging Units, eliminating the noisy-neighbor problem of shared infrastructure. It unlocks large message support up to 100 MB, network isolation through VNet integration and private endpoints, zone redundancy across three availability zones, and customer-managed encryption keys for compliance-sensitive workloads. Messaging Units scale without downtime, enabling cost control during off-peak hours and performance headroom during traffic spikes. Premium is the right choice for any enterprise workload where performance predictability, security isolation, and compliance requirements go beyond what the Standard tier offers.