Static IP ranges for Data Factory and add ADF to list of Trusted Azure Services
It is not currently possible to identify the IP Address of the DF, which you need for firewall rules, including Azure SQL Server firewall....
We want to share the great news that ADF has been added to the list of “Trusted Azure service” for Azure Key Vault and Azure Storage (blob & ADLS Gen2)!! Now you can enable “Allow trusted Microsoft services” on AKV and Azure Storage for better network security, and your ADF pipelines will continue to run. There are two caveats to pay attention to: (1) In order for ADF to be considered as one of the “Trusted Microsoft services” you need to use MSI to authenticate to AKV or Azure Storage in the linked service definition, and (2) If you are running Mapping Data Flow activity – “Trusted Azure service” is not supported for Data Flow just yet and we are working hard on it.
What is coming up? Here are the additional enhancements we are making for better network security:
- Static IP range for Azure Integration Runtime so that you can whitelist specific IP ranges for ADF as part of firewall rules. ETA is next few months.
- Support service tag for ADF
We will provide an update as soon as these enhancements becomes available. Please stay tuned and thank you for using ADF!
When ADF will be available as “Trusted Azure service” for Azure database for MYSQL ?
my team @greg oliver has a script to do this and then update an NSG so ADF inour case can reach inot an AKS cluster and call a function. We just need the cusomters permission to do tis but liitle r me if you need this now (email@example.com) Note we didn't use the static runtime fo rthis as it was expensive and also we'd love to have done this in an az cli script but no supprot for bash or powershell yet in ADFv2
Rob Durrant commented
What is the latest on this?
NAGATA Ryoma(永田 亮磨) commented
> ADF has been added to the list of “Trusted Azure service”
Mehmet Bakkaloglu commented
What is the expected time?
Need this now please
Is there an update on when this will be implemented?
Emmanuel Auffray commented
Same for CosmosDB as ADF is a recommended backup option and this becomes an issue if the CosmosDB is network restricted.
Donavan Decot commented
any updates on this?
Bets Tadesse commented
If you have Azure App/Web Service running on your portal there is a way to trace all IP addressing landing at your web page/app. Same way to trace ADF IP - if you send a GET request from Azure Data Factory (using Azure Web Activity) to your website you will be able to read from what Public IP azure data factory is coming from.
To do this -
1. Create Azure App Service on the portal ( almost any spec will do for now).
2. Go to your Azure App Service and look for Diagnostic Log or App Logging Settings then enable that. Now go to the Logs view. At this point, you will be able to pick up the public IP address of anyone requesting your page.
3. Go to Azure Data factory use the Web Activity and type your web app/site address under the setting. Change the Web Activity request type to GET. Then Publish the pipeline and trigger the Activity.
4. if you go to the Logs view window of the App Service, you should see the IP of the ADF from which the GET request was sent.
We need to make sure this is a Dedicated Public IP to our DFW vs a shared group of IPs the service can use. We can't whitelist ALL DFW IPs, it has to be exclusively our own DFW PIP.
Kristian Rickardt commented
BEsides ADF being a trusted service for AKV, a service tag so you can allow ADF to talk through a ASG
Donavan Decot commented
Dmitri Gaikovoi commented
Please also add ADF to the list of “Trusted Azure service” for Azure Key Vault.
This is important to have secure communication between ADF and other Azure resources, would appreciate if we get sooner resolution.
Ronny Hagen commented
Any information on ETA would be appreciated.
Ludovic Toinel commented
This feature is critical to adopt DataFactory.
Can you share a date of the availability of this feature ?
We have a similair problem with connecting from Analysis services to ADF. The IP changes very often and we need to change the IP's manually every time. It would be great if we can trust all azure services in the firewall of Analysis services, or just choose a static IP for ADF pipelines.
Eric Aurik commented
Is there any update on progress?
Thomas Boge commented
Are we there yet?