Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
We want to share the great news that ADF has been added to the list of “Trusted Azure service” for Azure Key Vault and Azure Storage (blob & ADLS Gen2)!! Now you can enable “Allow trusted Microsoft services” on AKV and Azure Storage for better network security, and your ADF pipelines will continue to run. There are two caveats to pay attention to: (1) In order for ADF to be considered as one of the “Trusted Microsoft services” you need to use MSI to authenticate to AKV or Azure Storage in the linked service definition, and (2) If you are running Mapping Data Flow activity – “Trusted Azure service” is not supported for Data Flow just yet and we are working hard on it.
What is coming up? Here are the additional enhancements we are making for better network security:
- Static IP range for Azure Integration Runtime so that you can whitelist specific IP ranges for ADF as part of firewall rules. ETA is next few months.
- Support service tag for ADF
We will provide an update as soon as these enhancements becomes available. Please stay tuned and thank you for using ADF!
Diego Oliveira Sanchez commented
Is there a timeline for implementing this feature? Do you anticipate it will be ready in a few weeks, a few months, or a few years? What is the order of magnitude here?
Is there any kind of update on this? This has been outstanding for some time and has considerable support. This seems like it should be a relatively straightforward one for Microsoft to address and promote the use of the enterprise services you offer - it should be a win-win all around?
Like many others here, this is holding up our deployment.
HI Azure team,
Delayed the product launch due to this limitation in Azure (i.e. unable to whitelist specific IP list).
Hope the specific IP list for ADF is being resolved.
Awaiting confirmation on the fix.
thanks in advance.
Rahul M commented
Hello, I am trying to connect ADFV2 to Azure Storage, but getting message as Access Denied, even though I have enabled option "Allow Trusted Azure Services....". Is there any workaround apart from VM or Self Hosted IR.
Samuel Li commented
Any progress on this?
We are flowing logs to splunk, and have to open the port to all; we already observed some logs from shodan.io.
We need to white list the ADF service IP address as soon as possible.
Paul Douglas commented
Any progress updates / timelines. We have an ADF solution we need to deploy but due to this issue we can not proceed.
Any rough timelines?
Guru Prasad P commented
Please add the firewall and Virtual network feature to the Data Factory as this might become a big security breach if we allow all IP's from the Azure Data Center for the azure services to intergrate with it
This is definitely a minimum requirement from my perspective and I can't believe it is the third most popular idea and it seems it hasn't even been reviewed yet. We can't possibly go into production by opening up our key vault and blob storage to the whole of a data centre where the ADF service resides. We have even had issues with this approach where our data factory was created in Southeast Asia and it was running on IP addresses in an Australian data centre. How about service endpoints for ADF?
Joe McGlynn commented
Folks, 2 years and no comment?
We'd love to move production, but Security won't even engage.
Need a timeline to give them or we look at another solution.
I need to whitelist DF public ip for hive access.....
Ankit Sharma commented
please add feature for accessing keyvault from ADF without whitelisting
Reddy Sucharit commented
For a Large Enterprise Customer that wants to use Azure Data Factory, would it make sense to have a "Dedicated" ADF instance ? Like a Dedicated Event Hub ?. My Client is requesting the ability to restrict access to their ADF endpoint using Private Vnet Integration and Firewall rules and these capabilities currently don't seem to exist. I am directing them to use some control via RBAC but this may not be enough given they can host an ADF Integration Server in their Secure Network and that Opens up access to their Data via the ADF Pipeline. There is most certainly a need to restrict "Network Level" access to the ADF endpoints for Enterprises. Thank you Azure Team for considering this feature.
Please provide a method of restriction access to and from ADF by IP whitelisting.
This feature request is all most 18 months old at this stage.
Torben Knerr commented
OMG, yes. If not providing a whitelistable IP address, please provide support for vNet integration or service endpoint integration for Data Factory (with Azure-hosted integration runtime for sure)!
This is sad. How can Microsoft say they are serious about security if I can't even whitelist the service trying to connect to my production DB? Should I just open access to the world? Please tell me I'm missing something.
Simon D'Morias commented
It would be really nice to see some feedback on this from Microsoft. Ideally "Working on it" - if not then some guidance other than install an IR on a VM which is nonsense solution.
Come on microsoft, please fix this. It is a security flaw to whitelist all of azure services. It is a showstopper for us at the moment.
This gets 3 votes. Incredible that Microsoft still can't provide a proper way to whitelist ADF in the Azure SQL DB without opening up to all Azure services.
Effectively we would have to allow IPs access to the Data Lake or storage account to make Data Factory. Microsoft please address this. Thank you.