Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hello,
I need the "best practice" to allow Power BI service to access an OData connector for a database.
I saw a lot of topic recommending this link: [Deprecating] Microsoft Azure Datacenter IP Ranges but as its title suggest it will be deprecated soon. Also in that file there are way to many IPs to manage even if I take into account only my Power BI service region which is North Europe (Ireland).
The new way recommended by Microsoft in the above link is to use the JSON file from here: Azure IP Ranges and Service Tags – Public Cloud because there are some tags that should help.
But where I could find more information about these tags and which of them I shoud use for PowerBI service to properly allow access through firewall, because using the IP from this tag only - PowerQueryOnline.NorthEurope - is not enough:
{
"name": "PowerQueryOnline.NorthEurope",
"id": "PowerQueryOnline.NorthEurope",
"properties": {
"changeNumber": 1,
"region": "northeurope",
"platform": "Azure",
"systemService": "PowerQueryOnline",
"addressPrefixes": [
"20.38.80.70/31"
]
}
}
Kind Regards,
Lucian
Solved! Go to Solution.
For everyone who still need the "firewall whitelist approach" (e.g. in NSG) there is a new ServiceTag for this purpose: PowerBI. this service tag is not accessible through the portal, so you should use the powershell/az cli command. Reference here: Azure service tags overview | Microsoft Docs
HI @Lucian,
Power bi service uses azure related services to manage rest API and backend processing, you can check azure data center IP range list at the following link to configure your firewall rules.
Azure IP Ranges and Service Tags – Public Cloud
If above list not suitable for your requirement, I'd like to suggest you take a look at the below document or try to contact azure/power bi team for the full request list of IP ranges.
Power BI URLs for whitelisting
Regards,
Xiaoxin Sheng
Hi,
@GilbertQ: I want to refresh the data in the Power BI dataset, so the Power BI service should connect to the OData source, and I need to open the inbound traffic to the OData source only for the required IPs.
@v-shex-msft: Thank you for the links, but the Power BI URLs for whitelisting is not related to my problem (is used for allowing an user inside an organization to access the Power BI service).
The other link Azure IP Ranges and Service Tags – Public Cloud I have already mentioned in my initial message and the question here is: What are the specific TAGS/IDs/SystemServices related to the Power BI service or required by Power BI service.
Kind Regards,
Lucian
Hello @GilbertQ ,
I think the Power BI Gateway would be the best option because this would give me access directly to the database. I don't know I would be alowed to do that because I'm "forced" to use that OData connector.
In this case the OData connector will be bypassed or not needed anymore?
Kind Regards,
Lucian
Hi @GilbertQ ,
For the moment I have to use what is already setup - the OData connector is working limited by IPs.
So, if I will not find the IPs I have to use into the firewall to open the Power BI service path to my data, I will take into consideration your suggestion to use the Power BI Gateway for which I have to gather more information and check with the NAV team to see if they will let me use it. 😉
Kind Regards,
Lucian
Hi @GilbertQ ,
Even is not my best choice I expected, I have marked your answer as a solution because installing a gateway could be helpful but I want to avoid for the moment.
Meanwhile, I have opened a ticket to Microsoft that I hope to help me identify in the entire pool of 600 IPs for the North Europe just the ones required for the Power BI service. It seems "mission impossible"... but I never say never... 😉
Kind Regards,
Lucian
FYI, I'm struggling with the same issue, only being in a different region.
I whitelisted the PowerQueryOnline.WestEurope described in here. But when refreshing the dataset I am getting access denied due to firewall restrictions. Funny thing is, the IP address shown in the error message is neither included in the above service tag nor in any of the CIDR ranges in the document at all.
I have created a service request with our Premier support subscription, but that issue lies unresolved for a month now. Not happy to be honest.
Using a data gateway is where we were coming from initially, using an on-prem database. To get rid of the gateway requirement, and to save costs, we migrated to Azure Sql database; assuming it would make my life easier in that regard...
On Azure Sql server there is the option to allow Azure Services through the firewall, which then would also remedy my Power BI firewall issue. But then I would open-up the server to the whole of Azure public cloud, which obviously is not what I want.
Cheers
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.