cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
phetzel1
Frequent Visitor

Need clarity around how to connect to Azure Storage through a firewall

There are numerous posts on this forum about how to connect to Azure Storage when there is a firewall present. Here are some examples:

In all cases, a Microsoft representative recommends to "whitelist the IP address of the Power BI Service." This is not a reasonable answer. For one, the link being referenced is being deprecated in a couple of months (June 2020). Second of all, the referenced list of IPs is at the data center level, and accounts for thousands of IP blocks. An Azure Storage account can only support 100 IP rules in a firewall.

 

Either I am completely missing something, which is certainly possible, or this is a gap in Power BI Service. If I am not missing something: what is the correct way to use the Power BI Service with a secured Azure Storage account?

 

1 ACCEPTED SOLUTION

@v-kelly-msft ,

 

Once again, having to configure 300 rules is a non-starter because Azure Storage only accepts 100 IP ranges on a whitelist.

 

To close the loop on this, we have resorted to using an On Premise Data Gateway, which connects to Storage through the new Private Link service. It would be very helpful for the Power BI Service team to prioritize making Power BI Service a member of "Trusted Microsoft Azure services" so that this workaround is not necessary. Having to add an On Premise Data Gateway introduces a server into an otherwise serverless architecture. This server is one of the most expensive components of our solution and adds little value.

View solution in original post

10 REPLIES 10
Greg_Deckler
Super User IV
Super User IV

I don't believe you have to list each IP address individually, you an do ranges.


---------------------------------------

@ me in replies or I'll lose your thread!!!

I have a NEW book! 
DAX Cookbook from Packt
Over 120 DAX Recipes!




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!




Yes, this is correct. The IPs are presented as CIDR blocks in the referenced file and there are about 3000 of them in total and in some situations over 100 in a datacenter.

Hi @phetzel1

 

Try the reference below:

 

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

 

Best Regards,
Kelly
Did I answer your question? Mark my post as a solution!

I have read through this documentation many times. 

  • VNET peering - Not applicable. Power BI Service not inside a VNET
  • Private Endpoints - Not applicable. Power BI Service not inside a VNET
  • Storage Firewall IP range exceptions - Not possible. There can be more than 100 IP ranges in a given datacenter (such as East 2)
  • VNET/Subnet Firewall exceptions - Not applicable. Power BI Service not inside a VNET
  • Allow Trusted Microsoft Services - To my knowledge, this does not cover Power BI Service

What is Microsoft's guidance when accessing a locked down Storage environment in Azure via Power BI? Is it an on-premise data gateway?

Hi @phetzel1 ,

 

This file will be deprecated by June 30, 2020. Please start using the JSON files listed below. IP Ranges for each cloud, broken down by region and by the tagged services in that cloud are now available on MS Download:
 
These JSON files are updated weekly and include versioning both for the full file and each individual service tag in that file.
 
Choose service bus :5993 - 6132
 

Best Regards,
Kelly

Did I answer your question? Mark my post as a solution!

 
 
 

I feel like this is on the right track but unfortunately the list that you've referenced has greater than 100 IP address ranges for Service Bus. Azure Storage is only able to contain up to 100 IP address range exceptions. This is not a workable solution because we would have to leave out about 30 of the listed IP address ranges, not to mention we would not have any room to whitelist our analysts who want to connect to Azure Storage via Power BI Desktop. 

 

What is the Microsoft recommended approach to view data in a secured Azure Storage account through the Power BI Service?

Hi @phetzel1

 

See details in the document of public I shared with you,find "ServiceBus.XXX",it is separated by region..About from the line 23000.

Annotation 2020-03-13 173509.png

 

 

Best Regards,
Kelly
Did I answer your question? Mark my post as a solution!

Based on your reply, I:

  • Successfully created a dataset in Power BI Desktop based on data in ADLS Gen2
  • Pushed that dataset to the Power BI Service, which is on the same tenant as the Azure Storage account
  • Configured the Azure Storage firewall to include the IP address ranges for Service Bus in East US 2 and saved

 

When I attempted to create a refresh schedule for the dataset, based on both Oauth and Account Key authentication, I received this error message

Annotation 2020-03-13 091259.png

 

I then temporarily turned the Storage firewall off and successfully gained access through Account Key authorization. This tells me that my authentication/authorization credentials are correct but I am still running into the same issue as before. I also added the IP Address ranges for Power Query Online in East US 2 without success. What is the Microsoft recommended approach to accessing a secured Storage account via Power BI Service?

Hi @phetzel1 ,

 

Refer to the IP list used by service.Choose IP 33544-33873 in AzureCloud.eastus2,which you only need to configure about 300 rules.

But if available,you'd better use gateway,which you only need to configure some firewall rules in outbound port of the gateway machine,then configure the rules in ADLS2.

Here is the reference.

 

Best Regards,
Kelly
Did I answer your question? Mark my post as a solution!
 
 
 

@v-kelly-msft ,

 

Once again, having to configure 300 rules is a non-starter because Azure Storage only accepts 100 IP ranges on a whitelist.

 

To close the loop on this, we have resorted to using an On Premise Data Gateway, which connects to Storage through the new Private Link service. It would be very helpful for the Power BI Service team to prioritize making Power BI Service a member of "Trusted Microsoft Azure services" so that this workaround is not necessary. Having to add an On Premise Data Gateway introduces a server into an otherwise serverless architecture. This server is one of the most expensive components of our solution and adds little value.

View solution in original post

Helpful resources

Announcements
PBI User Groups

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

March Update

Check it Out!

Click here to read more about the March 2021 Updates!

secondImage

The largest Power BI virtual conference

100+ sessions, 100+ speakers, Product managers, MVPs, and experts. All about Power BI. Attend online or watch the recordings.

secondImage

Experience what’s next for Power BI

See the latest Power BI innovations, updates, and demos from the Microsoft Business Applications Launch Event.

Top Solution Authors
Top Kudoed Authors