Add a diagram, more reference links, and DNS info

packages/azure/_dev/build/docs/README.md

@@ -270,10 +270,55 @@ The Agent will use the integration name and the event hub name to identify the b
 
 When running the Elastic Agent behind a firewall, you need to allow specific traffic to ensure proper communication with the necessary components. In this case, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container.
 
-Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. For more information, check the section [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall).
+```text
+┌────────────────────────────────┐  ┌───────────────────┐  ┌───────────────────┐
+│                                │  │                   │  │                   │
+│ ┌────────────┐   ┌───────────┐ │  │  ┌──────────────┐ │  │ ┌───────────────┐ │
+│ │ diagnostic │   │ event hub │ │  │  │azure-eventhub│ │  │ │ activity logs │ │
+│ │  setting   │──▶│           │◀┼AMQP─│  <<input>>   │─┼──┼▶│<<data stream>>│ │
+│ └────────────┘   └───────────┘ │  │  └──────────────┘ │  │ └───────────────┘ │
+│                                │  │          │        │  │                   │
+│                                │  │          │        │  │                   │
+│                                │  │          │        │  │                   │
+│         ┌─────────────┬─────HTTPS─┼──────────┘        │  │                   │
+│ ┌───────┼─────────────┼──────┐ │  │                   │  │                   │
+│ │       │             │      │ │  │                   │  │                   │
+│ │       ▼             ▼      │ │  └─Agent─────────────┘  └─Elastic Cloud─────┘
+│ │ ┌──────────┐  ┌──────────┐ │ │
+│ │ │    0     │  │    1     │ │ │
+│ │ │ <<blob>> │  │ <<blob>> │ │ │
+│ │ └──────────┘  └──────────┘ │ │
+│ │                            │ │
+│ │                            │ │
+│ └─Storage Account Container──┘ │
+│                                │
+│                                │
+└─Azure──────────────────────────┘
+```
+
+#### Event Hub
+
+Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. 
+
+For more information, check the following documents:
+
+- The section [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall).
+- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements)
+
+#### Storage Account Container
 
 Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition.
 
+#### DNS
+
+Optionally, if you want to restrict traffic to domain names, here is the list of names you need to allow.
+
+```text
+*.servicebus.windows.net
+*.blob.core.windows.net
+*.cloudapp.net
+```
+
 ## Settings
 
 Use the following settings to configure the Azure Logs integration when you add it to Fleet.

packages/azure/docs/README.md

@@ -270,10 +270,55 @@ The Agent will use the integration name and the event hub name to identify the b
 
 When running the Elastic Agent behind a firewall, you need to allow specific traffic to ensure proper communication with the necessary components. In this case, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container.
 
-Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. For more information, check the section [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall).
+```text
+┌────────────────────────────────┐  ┌───────────────────┐  ┌───────────────────┐
+│                                │  │                   │  │                   │
+│ ┌────────────┐   ┌───────────┐ │  │  ┌──────────────┐ │  │ ┌───────────────┐ │
+│ │ diagnostic │   │ event hub │ │  │  │azure-eventhub│ │  │ │ activity logs │ │
+│ │  setting   │──▶│           │◀┼AMQP─│  <<input>>   │─┼──┼▶│<<data stream>>│ │
+│ └────────────┘   └───────────┘ │  │  └──────────────┘ │  │ └───────────────┘ │
+│                                │  │          │        │  │                   │
+│                                │  │          │        │  │                   │
+│                                │  │          │        │  │                   │
+│         ┌─────────────┬─────HTTPS─┼──────────┘        │  │                   │
+│ ┌───────┼─────────────┼──────┐ │  │                   │  │                   │
+│ │       │             │      │ │  │                   │  │                   │
+│ │       ▼             ▼      │ │  └─Agent─────────────┘  └─Elastic Cloud─────┘
+│ │ ┌──────────┐  ┌──────────┐ │ │
+│ │ │    0     │  │    1     │ │ │
+│ │ │ <<blob>> │  │ <<blob>> │ │ │
+│ │ └──────────┘  └──────────┘ │ │
+│ │                            │ │
+│ │                            │ │
+│ └─Storage Account Container──┘ │
+│                                │
+│                                │
+└─Azure──────────────────────────┘
+```
+
+#### Event Hub
+
+Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. 
+
+For more information, check the following documents:
+
+- The section [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall).
+- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements)
+
+#### Storage Account Container
 
 Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition.
 
+#### DNS
+
+Optionally, if you want to restrict traffic to domain names, here is the list of names you need to allow.
+
+```text
+*.servicebus.windows.net
+*.blob.core.windows.net
+*.cloudapp.net
+```
+
 ## Settings
 
 Use the following settings to configure the Azure Logs integration when you add it to Fleet.