I suggest you ...

Whitelist all Microsoft services in Storage account Firewall

Whitelist all Microsoft services including Azure Data Factory when the "Firewall and Virtual Network" option is enabled on Storage account and "Allow trusted Microsoft services to access this storage account" option is selected.

Similar option is already available on Azure Data Lake store, where we can access Data Lake from Data Factory pipelines after the firewall option is enabled.

53 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Vivek shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    8 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        some news? Azure cognitive service Indexers will crawl firewalled storage accounts?

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any update on the future state of being able to whitelist other Microsoft services?

      • Anonymous commented  ·   ·  Flag as inappropriate

        We need add SQL DB auditing to access to Blob storage account when "Allow trusted Microsoft services to access this storage account" option is selected.

      • Blaine commented  ·   ·  Flag as inappropriate

        In my particular case, I'd like to have my Azure Automation Runbooks be able to access an Azure storage account that is firewalled.

      • Benjamin Cohen commented  ·   ·  Flag as inappropriate

        I am having trouble allowing my Web App Service's to access my storage account for backups and web jobs when they are inside the same virtual network and the storage account does not allow connections from all IPs on the internet.

      • Adrian Walker commented  ·   ·  Flag as inappropriate

        Agreed. Another half-a-job implementation. The "Allow trusted Microsoft services to access this storage account" option is worthless. It also affects AzureRM.Automation. New-AzureRmAutomationModule doesn't work when the SA firewall is enabled.

        https://github.com/Azure/azure-powershell/issues/5885

        I thought about adding the published Azure DataCenter IP addresses to the firewall. I added all UK South and UK South 2 IP ranges, no luck.

        In creating the github issue, the debug output seems to suggest the automation account is actually in West Europe. I started adding the West Europe IP ranges, before hitting a limit on the maximum number of IP addresses / ranges that can be entered.

        @Microsoft, if you can't give us more information on what IP ranges do what, then allow us to add more ranges. Whilst you're about it, I suggest you add a separate blade for the IP range list, as it's going to get very long and ugly.

        @Microsoft moderator: If you move this suggestion, would you kindly let us know where you move it to.

      • Peder Thode commented  ·   ·  Flag as inappropriate

        Agreed that all MS services should be allowed. I am currently having compliancy issues with my firewalled file shares since they can't be backed up. So I might have to remove security to be able to back up my files.

      Feedback and Knowledge Base