Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
Great news – static IP range for Azure Integration Runtime is now available in all ADF regions! You can whitelist specific IP ranges for ADF as part of firewall rules. The IPs are documented here: https://docs.microsoft.com/en-us/azure/data-factory/azure-integration-runtime-ip-addresses#azure-integration-runtime-ip-addresses-specific-regions. Static IP ranges for gov cloud and China cloud will be published soon!
Please refer to this blog post on how you can use various mechanisms including trusted Azure service and static IP to secure data access through ADF:
Service tag support will be made available in next few weeks. Please stay tuned!
If your network security requirement calls for ADF support for VNet and cannot be met using Trusted Azure service (released in Oct 2019), static IP range (released in Jan 2020), or service tag (upcoming), please vote for VNet feature here: https://feedback.azure.com/forums/270578-data-factory/suggestions/37105363-data-factory-should-be-able-to-use-vnet-without-re
Pavel Leonau commented
Would be great to have an opportunity to get the IP address of a Data Factory service (or the white list if available) in order to use the process on production server.
Paul Pavlinovich commented
I'm amazed you cannot do this now?!? Back to Informatica I guess.
Andy Ball commented
Would like this to . We have a INFOSec requirement to limit access to HDInsight using on Prem Addresses only - ie block access to people outside the company. If we do this via a NSG , it breaks Data Factory connecvity to HDInsight which is used to run a python script as part of transform .
So at present the only way I can see to fix this , is to change the NSG to allow traffic on Port 443 to the whole Azure IP range which is very open / and has to be checked / refreshed weekly.
Reuben Cabrera (GMO) commented
Our use case: External data providers whitelist our IPs for SFTP access. We would like to use Data Factory to ingest data from our external data providers.
Yasotha Sivanandham commented
This is required to add in firewall rules. Especially we need to whitelist the ADF IP in our SFTP
Christo Kaipullikuzhi Joseph commented
We need a feature to configure static IP for Azure Data Factory so that it can be added to SQL server Firewall settings
+1 for us as well. We need this feature or at least a tag in SQL Database/ ADLS where we can identify "Allow our subscription services" or better yet where you can specify allowing specific instances of ADF.
Others may not be aware that when you enable Azure services in your SQL Database firewall, you open up your server to connection from anyone's VM anywhere in Azure. This is a significant risk for us.
Remus Vlasie commented
Having services to rely only on user/password protection is not good enough. Still having open access to Azure services that you own might moderate the risk. But having All the Azure services able to access your service is not acceptable.
Josh Noe commented
In addition to the obvious fact that nobody is going to want to open their DBs to all of Azure, this restriction means that non-Azure DBs can't be used as data sources. Without an IP, I cannot open the firewalls on these external DBs to my Data Factory.
Mike Webber commented
It's not reasonable to expect enterprises who are trying to secure their data in an Azure SQL Database to open the firewall to allow all of Azure to connect. Until this feature is available, Data Factory is not a viable option.