Solved: Re: What is the right method to allow Power BI ser...

Lucian · ‎03-17-2020

Hello,

I need the "best practice" to allow Power BI service to access an OData connector for a database.

I saw a lot of topic recommending this link: [Deprecating] Microsoft Azure Datacenter IP Ranges but as its title suggest it will be deprecated soon. Also in that file there are way to many IPs to manage even if I take into account only my Power BI service region which is North Europe (Ireland).

The new way recommended by Microsoft in the above link is to use the JSON file from here: Azure IP Ranges and Service Tags – Public Cloud because there are some tags that should help.

But where I could find more information about these tags and which of them I shoud use for PowerBI service to properly allow access through firewall, because using the IP from this tag only - PowerQueryOnline.NorthEurope - is not enough:

{
      "name": "PowerQueryOnline.NorthEurope",
      "id": "PowerQueryOnline.NorthEurope",
      "properties": {
        "changeNumber": 1,
        "region": "northeurope",
        "platform": "Azure",
        "systemService": "PowerQueryOnline",
        "addressPrefixes": [
          "20.38.80.70/31"
        ]
      }
    }

Kind Regards,

Lucian

GilbertQ · ‎03-18-2020

Hi there

What you could do is to install the Power BI Gateway on your internal network. This will allow Power BI to connect securely via the Gateway to your local OData source and then upload to the Power BI Service.

In doing it in this way it would mean you do not have to open any inbound traffic?

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

View solution in original post

ganniaiuei · ‎06-03-2021

For everyone who still need the "firewall whitelist approach" (e.g. in NSG) there is a new ServiceTag for this purpose: PowerBI. this service tag is not accessible through the portal, so you should use the powershell/az cli command. Reference here: Azure service tags overview | Microsoft Docs

v-shex-msft · ‎03-17-2020

HI @Lucian,

Power bi service uses azure related services to manage rest API and backend processing, you can check azure data center IP range list at the following link to configure your firewall rules.

Azure IP Ranges and Service Tags – Public Cloud

If above list not suitable for your requirement, I'd like to suggest you take a look at the below document or try to contact azure/power bi team for the full request list of IP ranges.

Power BI URLs for whitelisting

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.

GilbertQ · ‎03-17-2020

Hi there

When you say allow Power BI through the firewall is this from your oData Source to the Power BI Service?

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

Lucian · ‎03-18-2020

Hi,

@GilbertQ: I want to refresh the data in the Power BI dataset, so the Power BI service should connect to the OData source, and I need to open the inbound traffic to the OData source only for the required IPs.

@v-shex-msft: Thank you for the links, but the Power BI URLs for whitelisting is not related to my problem (is used for allowing an user inside an organization to access the Power BI service).

The other link Azure IP Ranges and Service Tags – Public Cloud I have already mentioned in my initial message and the question here is: What are the specific TAGS/IDs/SystemServices related to the Power BI service or required by Power BI service.

Kind Regards,

Lucian

GilbertQ · ‎03-18-2020

Hi there

What you could do is to install the Power BI Gateway on your internal network. This will allow Power BI to connect securely via the Gateway to your local OData source and then upload to the Power BI Service.

In doing it in this way it would mean you do not have to open any inbound traffic?

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

Lucian · ‎03-19-2020

Hello @GilbertQ ,

I think the Power BI Gateway would be the best option because this would give me access directly to the database. I don't know I would be alowed to do that because I'm "forced" to use that OData connector.

In this case the OData connector will be bypassed or not needed anymore?

Kind Regards,

Lucian

GilbertQ · ‎03-19-2020

Hi there

If you could access the database directly could you access it via SQL Server or Redshift or via ODBC?

If so you can then use the Gateway to get this working.

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

Lucian · ‎03-20-2020

Hi @GilbertQ ,

For the moment I have to use what is already setup - the OData connector is working limited by IPs.

So, if I will not find the IPs I have to use into the firewall to open the Power BI service path to my data, I will take into consideration your suggestion to use the Power BI Gateway for which I have to gather more information and check with the NAV team to see if they will let me use it. 😉

Kind Regards,

Lucian

GilbertQ · ‎03-22-2020

Hi there

No worries in the previous posts they did give the details for the IP Addresses?

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

Lucian · ‎03-24-2020

Hi @GilbertQ ,

Even is not my best choice I expected, I have marked your answer as a solution because installing a gateway could be helpful but I want to avoid for the moment.

Meanwhile, I have opened a ticket to Microsoft that I hope to help me identify in the entire pool of 600 IPs for the North Europe just the ones required for the Power BI service. It seems "mission impossible"... but I never say never... 😉

Kind Regards,

Lucian

GilbertQ · ‎03-24-2020

Thanks for letting everyone know and I agree trying to manage 600 IP Addresses would be quite tough to solve.

Best bet is to do it as suggested the other way because then you do not have to open any other IP addresses.

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

Power BI Blog

baouss · ‎07-30-2020

FYI, I'm struggling with the same issue, only being in a different region.

I whitelisted the PowerQueryOnline.WestEurope described in here. But when refreshing the dataset I am getting access denied due to firewall restrictions. Funny thing is, the IP address shown in the error message is neither included in the above service tag nor in any of the CIDR ranges in the document at all.

I have created a service request with our Premier support subscription, but that issue lies unresolved for a month now. Not happy to be honest.

Using a data gateway is where we were coming from initially, using an on-prem database. To get rid of the gateway requirement, and to save costs, we migrated to Azure Sql database; assuming it would make my life easier in that regard...

On Azure Sql server there is the option to allow Azure Services through the firewall, which then would also remedy my Power BI firewall issue. But then I would open-up the server to the whole of Azure public cloud, which obviously is not what I want.

Cheers

What is the right method to allow Power BI service IPs through firewall?

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024