Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
We want to share the great news that ADF has been added to the list of “Trusted Azure service” for Azure Key Vault and Azure Storage (blob & ADLS Gen2)!! Now you can enable “Allow trusted Microsoft services” on AKV and Azure Storage for better network security, and your ADF pipelines will continue to run. There are two caveats to pay attention to: (1) In order for ADF to be considered as one of the “Trusted Microsoft services” you need to use MSI to authenticate to AKV or Azure Storage in the linked service definition, and (2) If you are running Mapping Data Flow activity – “Trusted Azure service” is not supported for Data Flow just yet and we are working hard on it.
What is coming up? Here are the additional enhancements we are making for better network security:
- Static IP range for Azure Integration Runtime so that you can whitelist specific IP ranges for ADF as part of firewall rules. ETA is next few months.
- Support service tag for ADF
We will provide an update as soon as these enhancements becomes available. Please stay tuned and thank you for using ADF!
Great news, any update on when we can expect the Static IP range for Azure Integration Runtime to be available?
Adding a bump to this. Either getting ADF in an Azure VNet or getting the Public CIDR range for the Azure workers.
The VNet option would be preferable.
C Uslu commented
I need to add ADF to an Azure Vnet . Come on guys !
FRANK GAROFALO commented
Is there any update on support service tag ADF? My Government customers want to use ADF to access things like Oracle or SQL Server hosted on IaaS boxes but need to limit what ports are open and what can route to those ports via NSGs. Since ADF does not have a service support tag in avaiable to us in an NSG, nor is there a published list for ip addresses for ADF in Azure Gov they will not create NSG rules wide open to allow the correct port routing required to access DB's on IaaS that have vNet's.
Any ETA on when ADF will be listed as a trusted service for Azure Cosmos DB? I plan to use network restriction with my CosmosDB account, but cannot set up ADF now (for backups) because it isn't considered a trusted service.
When ADF will be available as “Trusted Azure service” for Azure database for MYSQL ?
my team @greg oliver has a script to do this and then update an NSG so ADF inour case can reach inot an AKS cluster and call a function. We just need the cusomters permission to do tis but liitle r me if you need this now (email@example.com) Note we didn't use the static runtime fo rthis as it was expensive and also we'd love to have done this in an az cli script but no supprot for bash or powershell yet in ADFv2
Rob Durrant commented
What is the latest on this?
NAGATA Ryoma(永田 亮磨) commented
> ADF has been added to the list of “Trusted Azure service”
Mehmet Bakkaloglu commented
What is the expected time?
Need this now please
Is there an update on when this will be implemented?
Emmanuel Auffray commented
Same for CosmosDB as ADF is a recommended backup option and this becomes an issue if the CosmosDB is network restricted.
Donavan Decot commented
any updates on this?
Bets Tadesse commented
If you have Azure App/Web Service running on your portal there is a way to trace all IP addressing landing at your web page/app. Same way to trace ADF IP - if you send a GET request from Azure Data Factory (using Azure Web Activity) to your website you will be able to read from what Public IP azure data factory is coming from.
To do this -
1. Create Azure App Service on the portal ( almost any spec will do for now).
2. Go to your Azure App Service and look for Diagnostic Log or App Logging Settings then enable that. Now go to the Logs view. At this point, you will be able to pick up the public IP address of anyone requesting your page.
3. Go to Azure Data factory use the Web Activity and type your web app/site address under the setting. Change the Web Activity request type to GET. Then Publish the pipeline and trigger the Activity.
4. if you go to the Logs view window of the App Service, you should see the IP of the ADF from which the GET request was sent.
We need to make sure this is a Dedicated Public IP to our DFW vs a shared group of IPs the service can use. We can't whitelist ALL DFW IPs, it has to be exclusively our own DFW PIP.
Kristian Rickardt commented
BEsides ADF being a trusted service for AKV, a service tag so you can allow ADF to talk through a ASG
Donavan Decot commented
Dmitri Gaikovoi commented
Please also add ADF to the list of “Trusted Azure service” for Azure Key Vault.
This is important to have secure communication between ADF and other Azure resources, would appreciate if we get sooner resolution.