This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I'm having a hard time refreshing cubes in Azure Analysis Services from an Azure Analytics pipeline.
We have the firewall enabled on AAS and supposedly all I would have to is whitelist the ip ranges for the services that need acces.I downloaded the ranges from here: https://www.microsoft.com/en-us/download/details.aspx?id=56519 (Azure IP Ranges and Service Tags – Public Cloud).
There are no specific ranges for synapse analytics, only for ADF. So I whitelisted those.
When Synapse executes the pipeline at night ( from a trigger ) the connection to AAS fails. When I execute the pipeline manually it works ( my IP is whitelisted also).
I also checked what the current ip of the service is on several occassions by creating a pipeline with an web activity calling https://ipinfo.io/ip. The ip-adress returned is never within the ranges supplied for ADF.
So... should I whitelist different ranges for Synapse Analytics ? Or are they the same as the ADF ranges ? Could not find an answer to that question yet.
And I'm looking into dynamically adding the service ip through scripting or rest api, but I would really like to see the basic whitelisting solution work first.
For dynamic ip whitelisting I have found:
https://microsoft-bitools.blogspot.com/2020/11/process-analysis-service-with-firewall.html
https://github.com/mathwro/Scripts/blob/master/Azure/AllowAzure-AnalysisServer.ps1
Basically the same solutions, one from pipeline and rest api and the other from powershell.
Has anybody encountered the same issue before ? What's the (best or any) solution ?
Any help would be greatly appreciated !
Kind regards,
Roel
We figured it out. Turns out that for one activity we accidentally used a self-hosted integration runtime instead of the auto resolve runtime. Now the ADF whitelisting works.
Or maybe not. When the pipeline that does the model refresh is triggered seperately it works fine. When it is called from the data load pipeline it does not
You can find the current list of IP addresses for Azure SQL/Synapse Analytics here: https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture#gateway-ip-addresses
Similarly, Synapse pipelines share many attributes with Data Factory pipelines, and the IP addresses should match. You can find those in the document you linked.
Keep in mind that this list doesn't change often, but it can change. Generally there will be an announcement ahead of time so you can update your firewalls
So white listing the IP range of the synapse region should resolve ideally
Hi Nandan. Thanks for the fast response.
Is there any situation or maybe configuration that could cause the actual ip addresses to differ from the documented ranges ?
Because I am definitely getting ip's outside of the provided ranges.
We get the following error:
Cannot connect to server 'XXXX'. Client with IP Address '<ip>20.xxx.xx.xx</ip>' is not allowed to access the server. To enable access, use the Firewall settings in Azure Management Portal.
The given IP address that is displayed is not in the ranges provided for ADF. When I do an Azure IP Lookup on that address I get
This output is the same for every blocked IP. No mention of DataFactory.
When I do an IP lookup for an IP in the provided ADF ranges I get
So I am still confused.
Is it possible that configuration has some impact on the IP's used ? Private endpoints, private
links.
Regards
Duplicate
Additional information: the ip which is reported as not having access to AAS is from an Microsoft datacenter in San Antonio ( our region is southcentralus )
We figured it out. Turns out that for one activity we accidentally used a self-hosted integration runtime instead of the auto resolve runtime. Now the ADF whitelisting works.