Azure SQL Server Firewall Rule for ADF Integration Runtime (SSIS)

[bertrandpons]

Hello,

Do we have no choice but opening firewall to Azure services to allow ADF Integration Runtime communicating with Azure SQL Server ?

Thank you !

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 567118bc-05db-cb9d-d14f-faf835da048a
• Version Independent ID: 9aaa1635-bb8c-07b4-ebc5-55baeb98149c
• Content: Security considerations in Azure Data Factory
• Content Source: articles/data-factory/data-movement-security-considerations.md
• Service: data-factory
• GitHub Login: @nabhishek
• Microsoft Alias: abnarain

[BryanTrach-MSFT]

@bertrandpons Can you please provide us with the URL of the doc that you are having issues with? We look forward to your reply.

[bertrandpons]

@BryanTrach-MSFT It is more a question related to the following document: https://docs.microsoft.com/en-us/azure/data-factory/data-movement-security-considerations. I navigated on different blogs and I can't find a solution apart opt-in "Allow access to Azure services" in SQL Server firewall rules to allow access to the DB from ADF. Is there another way to narrow the access to only required services ?

[CHEEKATLAPRADEEP-MSFT-zz]

@bertrandpons Note: Azure-SSIS integration run time supports only Azure Resource Manager virtual networks for your Azure-SSIS IR to join if you use Azure SQL Database server with virtual network service endpoints or require access to on-premises data stores.

The Data Factory service connects to your Azure SQL Database to prepare the SSIS Catalog database (SSISDB). It also configures permissions and settings for your virtual network, if specified, and joins the new instance of Azure-SSIS integration runtime to the virtual network.

For more details, refer “Create Azure-SSIS Integration Runtime in Azure Data Factory”.

Hope this helps.

[bertrandpons]

@CHEEKATLAPRADEEP-MSFT Thank you for your reply. I don't want to use virtual network, only Azure SQL Database without virtual network service endpoints.

My question is more to know if there is a pool of ip addresses from my ADF Azure-SSIS IR to allow in Azure SQL Server firewall rules to make ADF and the SQL server communicate, instead of let turned on the rule "Allow access to Azure services"

[CHEEKATLAPRADEEP-MSFT-zz]

@bertrandpons To allow ADF from Azure to connect to your Azure SQL server, “Allow access to Azure Services” must be ON. When an ADF from Azure attempts to connect to your database server, the firewall verifies that Azure connections are allowed. A firewall setting with starting and ending address equal to 0.0.0.0 indicates Azure connections are allowed. If the connection attempt is not allowed, the request does not reach the Azure SQL Database server.

[CHEEKATLAPRADEEP-MSFT-zz]

@bertrandpons We will now proceed to close this thread. If there are further questions regarding this matter, please comment and we will gladly continue the discussion.

[rvgolovin]

Is there a plan to make it possible for the Azure SQL DB to set a firewall rule to allow only the Data Factory to connect to it and not have to open the SQL DB to the entire Azure?

[silva-3]

I'm looking for the same solution. In this we apparently have the possible outbound ips by region: https://docs.microsoft.com/en-us/azure/data-factory/azure-integration-runtime-ip-addresses.
But we still without the IP by instance, as we get in App Service, for example

[chandainfy]

@CHEEKATLAPRADEEP-MSFT we have a similar situation, however, the SQL server name is correct, credentials are correct and allowed all azure resource is enabled.
still, the Data factory pipeline is failing with below error:
"message": "ErrorCode=SqlFailedToConnect,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Cannot connect to SQL Database: '', Database: '', User: ''. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access.,Source=Microsoft.DataTransfer.ClientLibrary,''Type=System.Data.SqlClient.SqlException,Message=A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No such host is known.),Source=.Net SqlClient Data Provider,SqlErrorNumber=11001,Class=20,ErrorCode=-2146232060,State=0,Errors=[{Class=20,Number=11001,State=0,Message=A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No such host is known.),},],''Type=System.ComponentModel.Win32Exception,Message=No such host is known,Source=,'",

[CharlesAtDCube]

Same here, while trying to copy data from on prem SQL Server instance with IR correctly installed (I can look up), to Azure SQL Database, I get the same error as @chandainfy. As if the on prem base tried to connect directly to my azure sqldb.

[clouddatabuilders]

Please can someone provide more detail around port 8060 and whether that's needed. As I understand, this port only required when configuring HA mode for the IR engine for an on premise setup?

[Codypinto23]

Having the same issue as @chandainfy. Anyone have any updates on getting this to work?

[CharlesAtDCube]

I circumvented it by enabling staging, which does not use the 1433 port. Le 24 août 2020 19:54, Cody Pinto <notifications@github.com> a écrit : Having the same issue here. Anyone have any updates on getting this to work? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#25357 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANRTHLWVWA2QVWPUYUWM2DDSCKSMBANCNFSM4GYVVVSA>.

[clintgrove]

Is there a plan to make it possible for the Azure SQL DB to set a firewall rule to allow only the Data Factory to connect to it and not have to open the SQL DB to the entire Azure?

Is it not possible to host a self-hosted IR on a VM. Then use it to connect back to the Azure SQL DB. So the communication runs between your ADF through the IR on the VM, and then back to the Azure SQL server. This should eliminate the need to keep changing the IP? If the VM has a static IP for example... Not sure, its just an idea.

I just realised that you can now create an azure IR and you can create managed private endpoints in the factory itself. So yeah, this seems to be the solution https://azure.microsoft.com/en-gb/blog/azure-data-factory-managed-virtual-network/

[MickBadran]

@CHEEKATLAPRADEEP-MSFT we have a similar situation, however, the SQL server name is correct, credentials are correct and allowed all azure resource is enabled.
still, the Data factory pipeline is failing with below error:
"message": "ErrorCode=SqlFailedToConnect,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Cannot connect to SQL Database: '', Database: '', User: ''. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access.,Source=Microsoft.DataTransfer.ClientLibrary,''Type=System.Data.SqlClient.SqlException,Message=A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No such host is known.),Source=.Net SqlClient Data Provider,SqlErrorNumber=11001,Class=20,ErrorCode=-2146232060,State=0,Errors=[{Class=20,Number=11001,State=0,Message=A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No such host is known.),},],''Type=System.ComponentModel.Win32Exception,Message=No such host is known,Source=,'"

Hey folks - I got this exact error and have been following this thread.
(I have hybrid Oracle on-prem)

For me 'the fix' was:

1. Enable staging on the copy shape (bring the data back to blob storage)
2. The 'server' originally was 'tcp:,1433:...' (which is the way these connection strings are by default when looking under the Azure SQL DB -> Connection Strings option.

Changed this to simply:

'Server=;Initial Catalog=... yada yada... etc.'

I may have been lucky, firewall ports seem tough to get past, without opening up the whole internet.

Hope this helps.

[wolfgangas]

In addition to @MickBadran 's post: I only had to enable staging and don't do anything regarding ports. I used a self hosted IR for Oracle and a standard Azure IR for both the blob storage and the SQL Server