Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
Great news – static IP range for Azure Integration Runtime is now available in all ADF regions! You can whitelist specific IP ranges for ADF as part of firewall rules. The IPs are documented here: https://docs.microsoft.com/en-us/azure/data-factory/azure-integration-runtime-ip-addresses#azure-integration-runtime-ip-addresses-specific-regions. Static IP ranges for gov cloud and China cloud will be published soon!
Please refer to this blog post on how you can use various mechanisms including trusted Azure service and static IP to secure data access through ADF:
Service tag support will be made available in next few weeks. Please stay tuned!
If your network security requirement calls for ADF support for VNet and cannot be met using Trusted Azure service (released in Oct 2019), static IP range (released in Jan 2020), or service tag (upcoming), please vote for VNet feature here: https://feedback.azure.com/forums/270578-data-factory/suggestions/37105363-data-factory-should-be-able-to-use-vnet-without-re
Is there any kind of update on this? This has been outstanding for some time and has considerable support. This seems like it should be a relatively straightforward one for Microsoft to address and promote the use of the enterprise services you offer - it should be a win-win all around?
Like many others here, this is holding up our deployment.
HI Azure team,
Delayed the product launch due to this limitation in Azure (i.e. unable to whitelist specific IP list).
Hope the specific IP list for ADF is being resolved.
Awaiting confirmation on the fix.
thanks in advance.
Rahul M commented
Hello, I am trying to connect ADFV2 to Azure Storage, but getting message as Access Denied, even though I have enabled option "Allow Trusted Azure Services....". Is there any workaround apart from VM or Self Hosted IR.
Samuel Li commented
Any progress on this?
We are flowing logs to splunk, and have to open the port to all; we already observed some logs from shodan.io.
We need to white list the ADF service IP address as soon as possible.
Paul Douglas commented
Any progress updates / timelines. We have an ADF solution we need to deploy but due to this issue we can not proceed.
Any rough timelines?
Guru Prasad P commented
Please add the firewall and Virtual network feature to the Data Factory as this might become a big security breach if we allow all IP's from the Azure Data Center for the azure services to intergrate with it
This is definitely a minimum requirement from my perspective and I can't believe it is the third most popular idea and it seems it hasn't even been reviewed yet. We can't possibly go into production by opening up our key vault and blob storage to the whole of a data centre where the ADF service resides. We have even had issues with this approach where our data factory was created in Southeast Asia and it was running on IP addresses in an Australian data centre. How about service endpoints for ADF?
Joe McGlynn commented
Folks, 2 years and no comment?
We'd love to move production, but Security won't even engage.
Need a timeline to give them or we look at another solution.
Freddy Setiawan commented
I need to whitelist DF public ip for hive access.....
Ankit Sharma commented
please add feature for accessing keyvault from ADF without whitelisting
Reddy Sucharit commented
For a Large Enterprise Customer that wants to use Azure Data Factory, would it make sense to have a "Dedicated" ADF instance ? Like a Dedicated Event Hub ?. My Client is requesting the ability to restrict access to their ADF endpoint using Private Vnet Integration and Firewall rules and these capabilities currently don't seem to exist. I am directing them to use some control via RBAC but this may not be enough given they can host an ADF Integration Server in their Secure Network and that Opens up access to their Data via the ADF Pipeline. There is most certainly a need to restrict "Network Level" access to the ADF endpoints for Enterprises. Thank you Azure Team for considering this feature.
Please provide a method of restriction access to and from ADF by IP whitelisting.
This feature request is all most 18 months old at this stage.
Torben Knerr commented
OMG, yes. If not providing a whitelistable IP address, please provide support for vNet integration or service endpoint integration for Data Factory (with Azure-hosted integration runtime for sure)!
This is sad. How can Microsoft say they are serious about security if I can't even whitelist the service trying to connect to my production DB? Should I just open access to the world? Please tell me I'm missing something.
Simon D'Morias commented
It would be really nice to see some feedback on this from Microsoft. Ideally "Working on it" - if not then some guidance other than install an IR on a VM which is nonsense solution.
Come on microsoft, please fix this. It is a security flaw to whitelist all of azure services. It is a showstopper for us at the moment.
This gets 3 votes. Incredible that Microsoft still can't provide a proper way to whitelist ADF in the Azure SQL DB without opening up to all Azure services.
Effectively we would have to allow IPs access to the Data Lake or storage account to make Data Factory. Microsoft please address this. Thank you.
Hard to believe the ADF cannot dip directly into Azure VNETs or have a single source IP. What good is it if you have to Integration Services everywhere?