storage account firewall - Add inbound service tags for storage account.
At the moment, storage account firewall can only be configured to "Allow Trusted MS Services" and the whitelisting of IPs/IP ranges.
Our Power BI service needs to be able to access our storage account with storage account firewall enabled.
Currently we have to manually whitelist data center IP ranges in order for this to work.
Please add the ability to add inbound service tags for storage account firewall like you can with NSGs and add Power BI and other MS services to the "Allow Trusted MS Services".
valid suggestion subject to upvote
Ted Wildsmith commented
The same needs to be done for Azure SQL Firewall functionality too. The data that we hold needs to be as secure as possible as well as be accessible to Power BI service data refreshes. We need the ability to allow connections from Power BI service without having to whitelist entire data centre IP ranges.
this is a must.
In my mind, this is the biggest gap in Azure's data stack. In order to access data in a secured Storage account, it's necessary to run some type of compute (Azure Analysis Services, Synapse, On Premise Gateway on a VM) to access data. This compute ends up being one of the most expensive parts of the architecture.
As more organizations begin using the data lake approach of storing bespoke datasets into Storage instead of a data warehouse, it is necessary to have serverless options to query a secured data lake.
It would really help if the storage account firewall has similar capabilities as a Network Security Group, where you can add service tags and such.
The IP from BI are coming from Net Range 100.64.0.0 - 100.127.255.255
CIDR 100.64.0.0/10. I've allowed 100.96.0.0/11 to start and it allowed my BI to work. YMMV.