Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
Great news – static IP range for Azure Integration Runtime is now available in all ADF regions! You can whitelist specific IP ranges for ADF as part of firewall rules. The IPs are documented here: https://docs.microsoft.com/en-us/azure/data-factory/azure-integration-runtime-ip-addresses#azure-integration-runtime-ip-addresses-specific-regions. Static IP ranges for gov cloud and China cloud will be published soon!
Please refer to this blog post on how you can use various mechanisms including trusted Azure service and static IP to secure data access through ADF:
Service tag support will be made available in next few weeks. Please stay tuned!
If your network security requirement calls for ADF support for VNet and cannot be met using Trusted Azure service (released in Oct 2019), static IP range (released in Jan 2020), or service tag (upcoming), please vote for VNet feature here: https://feedback.azure.com/forums/270578-data-factory/suggestions/37105363-data-factory-should-be-able-to-use-vnet-without-re
FRANK GAROFALO commented
Is there any update on support service tag ADF? My Government customers want to use ADF to access things like Oracle or SQL Server hosted on IaaS boxes but need to limit what ports are open and what can route to those ports via NSGs. Since ADF does not have a service support tag in avaiable to us in an NSG, nor is there a published list for ip addresses for ADF in Azure Gov they will not create NSG rules wide open to allow the correct port routing required to access DB's on IaaS that have vNet's.
Any ETA on when ADF will be listed as a trusted service for Azure Cosmos DB? I plan to use network restriction with my CosmosDB account, but cannot set up ADF now (for backups) because it isn't considered a trusted service.
When ADF will be available as “Trusted Azure service” for Azure database for MYSQL ?
Andrew Fryer commented
my team @greg oliver has a script to do this and then update an NSG so ADF inour case can reach inot an AKS cluster and call a function. We just need the cusomters permission to do tis but liitle r me if you need this now (email@example.com) Note we didn't use the static runtime fo rthis as it was expensive and also we'd love to have done this in an az cli script but no supprot for bash or powershell yet in ADFv2
Rob Durrant commented
What is the latest on this?
NAGATA Ryoma(永田 亮磨) commented
> ADF has been added to the list of “Trusted Azure service”
Mehmet Bakkaloglu commented
What is the expected time?
Need this now please
Is there an update on when this will be implemented?
Emmanuel Auffray commented
Same for CosmosDB as ADF is a recommended backup option and this becomes an issue if the CosmosDB is network restricted.
Donavan Decot commented
any updates on this?
Bets Tadesse commented
If you have Azure App/Web Service running on your portal there is a way to trace all IP addressing landing at your web page/app. Same way to trace ADF IP - if you send a GET request from Azure Data Factory (using Azure Web Activity) to your website you will be able to read from what Public IP azure data factory is coming from.
To do this -
1. Create Azure App Service on the portal ( almost any spec will do for now).
2. Go to your Azure App Service and look for Diagnostic Log or App Logging Settings then enable that. Now go to the Logs view. At this point, you will be able to pick up the public IP address of anyone requesting your page.
3. Go to Azure Data factory use the Web Activity and type your web app/site address under the setting. Change the Web Activity request type to GET. Then Publish the pipeline and trigger the Activity.
4. if you go to the Logs view window of the App Service, you should see the IP of the ADF from which the GET request was sent.
We need to make sure this is a Dedicated Public IP to our DFW vs a shared group of IPs the service can use. We can't whitelist ALL DFW IPs, it has to be exclusively our own DFW PIP.
Kristian Rickardt commented
BEsides ADF being a trusted service for AKV, a service tag so you can allow ADF to talk through a ASG
Donavan Decot commented
Dmitri Gaikovoi commented
Please also add ADF to the list of “Trusted Azure service” for Azure Key Vault.
This is important to have secure communication between ADF and other Azure resources, would appreciate if we get sooner resolution.
Ronny Hagen commented
Any information on ETA would be appreciated.
Ludovic Toinel commented
This feature is critical to adopt DataFactory.
Can you share a date of the availability of this feature ?
We have a similair problem with connecting from Analysis services to ADF. The IP changes very often and we need to change the IP's manually every time. It would be great if we can trust all azure services in the firewall of Analysis services, or just choose a static IP for ADF pipelines.