question

PitawatNantamanop-3754 avatar image
0 Votes"
PitawatNantamanop-3754 asked RaunakJhawar-2600 answered

ADF Linked Service for Azure File Share can't access Storage Account that does not allow all networks

I'm setting up ADF Azure-SSIS runtime which runs SSIS package on Azure SQL Managed Instance. I'm trying to store SSIS package files on Azure File Share. I would not want to allow access to my Storage Account from all networks.

I came across this post that Managed Identity is a supported authentication method for Blob and Data Lake gen2. Many users are commenting since 2019 that it still lacks support of Azure File Share.

When I set my storage account to allow connection from selected networks + allow trusted Azure services, the "Test Connection" feature will fail when creating ADF Linked Service for Azure File Storage saying "This request is not authorized to perform this operation (ErrorCode 403)". If I set my Storage Account to allow from all networks, the test will succeed.

Is there a plan to support managed identity for Azure File Share? Since running SSIS package is obviously one of the most-used features on ADF and storing SSIS package files on Azure File Share is very common, it is weird that managed identity is not supported here. Does this mean customers are forced to set their Storage Accounts to allow access from all networks? Is there any workaround that I don't have to allow connection to Storage Account from all networks?


Thanks.


azure-data-factoryazure-storage-accountsazure-files
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @pitawatnantamanop-3754,

Thanks for using Microsoft Q&A !!
Unfortunately, if you are using Azure File storage in Azure-SSIS IR then it only supports basic authentication as of now. However, I am checking internally on the same if there are any alternatives at all and get back to you as soon as I hear back.

Thanks
Saurabh

0 Votes 0 ·
02137510 avatar image 02137510 SaurabhSharma-msft ·

Thanks for you

1 Vote 1 ·

Hello @SaurabhSharma-msft ,

Thanks for your reply. Actually I don't care that much about the authentication method. What I really would like to know is if I can create a Linked Service to Azure File Storage that does not allow access from all networks. Is yes, how?

The reason I mentioned about managed identity authentication is that it seems to be the only option to connect to Blob Storage that does not allow all networks.

Thanks.

0 Votes 0 ·

Hi @pitawatnantamanop-3754,

Here is the update - SSIS IR can only connect to Azure Files using Win Auth, but you can store your credentials in AKV and allow only traffic from its public IP addresses/VNet/subnet on your Azure Storage firewall.

Thanks
Saurabh

0 Votes 0 ·

Hi @pitawatnantamanop-3754,

Please let me know if you have any questions.

Thanks
Saurabh

0 Votes 0 ·

Hi @SaurabhSharma-msft ,

Thanks for your reply. Maybe I'm mistaken, but I'm asking about creating a Linked Service that connects to Azure Files. The Linked Service does not use SSIS-IR to connect hence it can't be in the same VNET as Azure Files.

Please see this screenshot as I create a Linked Service and the option "Connect via integration runtime" has only one option which is AutoResolveIntegrationRuntime. My SSIS-IR isn't available to select. If I continue and select the Azure Storage Account that doesn't allow all networks, the "Test connection" will fail.


2sSetV.png

Let me ask again:

  1. From my situation, is it possible to create a Linked Service that connects to this Azure Storage Account?

  2. If I need to specify public IP of AutoResolveIntegrationRuntime, how can I know its IP address?


Thanks.





0 Votes 0 ·
Show more comments

1 Answer

RaunakJhawar-2600 avatar image
0 Votes"
RaunakJhawar-2600 answered

You can create a managed private endpoint for this file share and access this resource from ADF

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.