Add support for event hub transport layer proxy

[k-shlomi]

Adds SOCKS5 proxy support for Rust EventHubs client, enabling connections through corporate proxies and restricted network environments.

Changes

Core Implementation

• azure_core_amqp/src/socks5.rs - New SOCKS5 connection module
  • SocksConnection struct with validate_proxy_url(), connect(), mask_credentials()
  • Support for socks5:// and socks5h:// protocols
  • Username/password authentication via URL
  • Automatic credential masking in logs
• azure_core_amqp/src/connection.rs - AMQP integration
  • Modified open_with_stream() to detect SOCKS5 URLs in custom_endpoint
  • Zero breaking changes, backward compatible

Dependencies

• tokio-socks = "0.5"
• tokio-native-tls = "0.3"
• native-tls = "0.2"

Documentation & Examples

• azure_core_amqp/README.md - Added SOCKS5 feature documentation
• eventhubs/examples/eventhubs_socks5_proxy.rs - Complete usage example
• Comprehensive rustdoc with examples and troubleshooting

Usage

  let client = ProducerClient::builder()
      .with_custom_endpoint("socks5h://proxy.corp.com:1080")
      .open(host, eventhub, credential)
      .await?;

Resolves enterprise customer requirements for proxy support in restricted network environments.

[github-actions]

Thank you for your contribution @k-shlomi! We will review the pull request and get back to you soon.

[k-shlomi]

@microsoft-github-policy-service agree company="Sweet Security"

[heaths]

A few notes, but @LarryOsterman should definitely have a look. Thanks for the contribution!

[heaths]

These should be defined as part of an optional feature for anyone to enable who wants to use the protocol. Most customers likely won't need it and the increased build time required.

@LarryOsterman we'd also want to consider whether these should be declared directly herein or in the workspace Cargo.toml. The only net new dependency is tokio-socks, but I suspect that - at least for now - AMQP is the only protocol that would support it. The others are already in the Cargo.lock file and should just be in the workspace if they even need to be declared explicitly. [email protected] already has a dependency on [email protected] and [email protected] so they probably don't need to be in here at all.

[heaths]

This is great module documentation, but given its not pub when imported in src/lib/rs, no one is going to see it. Necessary information might be better served in the crate README.md.

[heaths]

We generally prefer the construction pattern:

let options = AmqpConnectionOptions {
  custom_endpoint = Some("socks5h://proxy.contoso.com:8080".parse()?),
  ..Default::default()
};

And use contoso.com or example.com.

[heaths]

Also means azure_core::http::Url doesn't need to be imported.

[heaths]

Use Error::with_error:

Suggested change

	azure_core::Error::new(azure_core::error::ErrorKind::Other, Box::new(e)).with_context(
	format!(
	"SOCKS5 connection failed: proxy={}, target={}",
	Self::mask_credentials(proxy_url),
	target_url
	),
	)
	azure_core::Error::with_error(azure_core::error::ErrorKind::Other, e,
	format!(
	"SOCKS5 connection failed: proxy={}, target={}",
	Self::mask_credentials(proxy_url),
	target_url
	),
	)

(Something like that)

[LarryOsterman]

/azp run rust - eventhubs - weekly

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[LarryOsterman]

In general, I'm singularly impressed. I have one significant concern, which is that I believe that these new tests will fail in our weekly test runs because we run our tests with --all-features and the CI pipeline doesn't have a SOCKS5 proxy available to work.

Also I'd like to have someone from the EventHubs service team take a look to confirm that they want SOCKS5 proxy support as a feature (it's complicated).

[LarryOsterman]

You might want to consider using the azure_core extension method sanitize here - it implements our standardized sanitization logic. You would still need to redact the username and password since azure URLs are prohibited from using the URL username and password fields, but this adds an additional level of sanity checks on the URL.

Basically change the last line to masked.sanitize(&[])

[LarryOsterman]

Same comment about using the sanitize() extension for the rest of the URL.

[LarryOsterman]

Our tests are built with --all-features - how do you ensure that these tests don't fail in our live tests CI pipeline?

[heaths]

I think these tests should move to examples...which you already have, so if the examples are sufficient, I say we remove these integration tests if we don't have any easy way to test them on devs' machines (we don't control nor dictate how they run tests) or hosted agents.

[k-shlomi]

Hi @heaths and @LarryOsterman
thank you for the review.
I believe I addressed all your comments. let me know if anything else is needed.

[heaths]

@weshaggard @hallipr what's going on with the vcpkg install on Windows?

From the logs,

%VCPKG_BINARY_SOURCES%: error: invalid argument: binary config 'azblob' requires a SAS token without a preceeding '?' as the second argument

We're using the same setup that other repos are using, so did something break recently?

[heaths]

@k-shlomi please address my comments as well. See our root CONTRIBUTING.md for more information as well.

[k-shlomi]

@heaths I believe I did fix your comments. can you point me out to comments I missed?

[weshaggard]

@weshaggard @hallipr what's going on with the vcpkg install on Windows?

From the logs,

%VCPKG_BINARY_SOURCES%: error: invalid argument: binary config 'azblob' requires a SAS token without a preceeding '?' as the second argument

We're using the same setup that other repos are using, so did something break recently?

@danieljurek is investigating the vcpkg issue.

[danieljurek]

Notes from investigation so far:

• vcpkg install shouldn't be failing here
• Other pipelines are not failing because vcpkg install is invoked differently
• Successful invocations in rust - pullrequest use vcpkg at version 2025-07-21-d4b65a2b83ae6c3526acd1c6f3b51aff2a884533, failing pipeline runs are showing version 2025-09-03-4580816534ed8fd9634ac83d46471440edd82dfe
• There was a recent update to the image that moved vcpkg up. Looks like vcpkg is running from the image.

[danieljurek]

There was a breaking change to binary caching for vcpkg in this version. I have a fix working locally... PR coming soon

[danieljurek]

Fix is in. Rebase on main then push to re-run and get past the vcpkg install issues.

[heaths]

You can't take direct dependencies in a crate. There are also some sanitization concerns.

[heaths]

Everything in here is in azure_core. azure_* crates outside of core should not reference typespec crates.

[k-shlomi]

@heaths I referenced it in sdk/eventhubs/azure_messaging_eventhubs/Cargo.toml in order to use the sanitize. any suggestion about that? remove sanitize? leave it in the file? what is the best course of action here?

[heaths]

I'm saying that the sanitization function should be exported in azure_core as well, in the same module (hopefully, unless we missed something). For any azure_* crates we're trying to "hide" the typespec crates as an implementation detail. Everything they export is imported and re-exported by azure_core in the same module path. A couple types we "override", but internally make convertible to the types they "override" in typespec.

[heaths]

2 of these don't need to be referenced directly as we already have dependencies. The other has to be defined in the workspace /Cargo.toml. We don't allow direct dependencies unless @LarryOsterman thinks is worth exempting a version dependency in our appropriate place. This is to avoid version mismatches throughout the workspace - especially import as the number of crates grows.

[k-shlomi]

changed

[heaths]

You also need to add this to the docs.rs metadata table below or it won't be documented. We intentionally don't document the others as they are meant more for internal testing / development.

[k-shlomi]

added

[k-shlomi]

@heaths one question for you in regards to your last comments.
fixed the rest
pulled from main so now build passes