Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
We want to share the great news that ADF has been added to the list of “Trusted Azure service” for Azure Key Vault and Azure Storage (blob & ADLS Gen2)!! Now you can enable “Allow trusted Microsoft services” on AKV and Azure Storage for better network security, and your ADF pipelines will continue to run. There are two caveats to pay attention to: (1) In order for ADF to be considered as one of the “Trusted Microsoft services” you need to use MSI to authenticate to AKV or Azure Storage in the linked service definition, and (2) If you are running Mapping Data Flow activity – “Trusted Azure service” is not supported for Data Flow just yet and we are working hard on it.
What is coming up? Here are the additional enhancements we are making for better network security:
- Static IP range for Azure Integration Runtime so that you can whitelist specific IP ranges for ADF as part of firewall rules. ETA is next few months.
- Support service tag for ADF
We will provide an update as soon as these enhancements becomes available. Please stay tuned and thank you for using ADF!
Andy Ball commented
Would like this to . We have a INFOSec requirement to limit access to HDInsight using on Prem Addresses only - ie block access to people outside the company. If we do this via a NSG , it breaks Data Factory connecvity to HDInsight which is used to run a python script as part of transform .
So at present the only way I can see to fix this , is to change the NSG to allow traffic on Port 443 to the whole Azure IP range which is very open / and has to be checked / refreshed weekly.
Reuben Cabrera (GMO) commented
Our use case: External data providers whitelist our IPs for SFTP access. We would like to use Data Factory to ingest data from our external data providers.
Yasotha Sivanandham commented
This is required to add in firewall rules. Especially we need to whitelist the ADF IP in our SFTP
Christo Kaipullikuzhi Joseph commented
We need a feature to configure static IP for Azure Data Factory so that it can be added to SQL server Firewall settings
+1 for us as well. We need this feature or at least a tag in SQL Database/ ADLS where we can identify "Allow our subscription services" or better yet where you can specify allowing specific instances of ADF.
Others may not be aware that when you enable Azure services in your SQL Database firewall, you open up your server to connection from anyone's VM anywhere in Azure. This is a significant risk for us.
Remus Vlasie commented
Having services to rely only on user/password protection is not good enough. Still having open access to Azure services that you own might moderate the risk. But having All the Azure services able to access your service is not acceptable.
Josh Noe commented
In addition to the obvious fact that nobody is going to want to open their DBs to all of Azure, this restriction means that non-Azure DBs can't be used as data sources. Without an IP, I cannot open the firewalls on these external DBs to my Data Factory.
Mike Webber commented
It's not reasonable to expect enterprises who are trying to secure their data in an Azure SQL Database to open the firewall to allow all of Azure to connect. Until this feature is available, Data Factory is not a viable option.