This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 17%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
I have a Power Bi (M365/Azure kind, not on premise) dataset that is syncing data from one of my Azure SQL databases. This Azure database resource has its network firewall enabled to only allow connections from whitelisted public IP addresses. I am able to add the public IP of the Power Bi dataset to this whitelist and then the connection works.
The issue I am running into, the pubic IP address of the Power Bi dataset is not static. This means I have to go into the resource and update the whiltelist each time it changes. From watching it the last few days, it seems to always be a 40.80.184.0/21 address, but the documentation suggests this could change at any time so I am hesitant to open a large range of addresses.
I know Azure has service tags, specifically the PowerBI one, that is kept up to date by Microsoft with the IPs for that service, but from what I can tell those are only usable on Azure NSG and not on individual resources. I am wondering what would be the best practice solution here, as whitelisting the entire address space seems reckless and fallible, and setting up a security gateway in the VNET with the NSG's seems overly complex for what feels like a simple problem. Below is the error from Power Bi after the IP address changes and is no longer whitelisted.
Using NSGs is not complex at all, please refer to the instructions provided on this article. Only 5 steps needed.
AlbertoMorillo thanks for the response! A guide to setup an NSG for this specify scenario is useful, but unfortunately still is not the simple solution I was looking for. Those "5 steps" still require a decent amount of setup, but the real downside is it requires running a VM in Azure 24/7 which is not free nor infallible, and it adds more IT administrate overhead for a niche system. From the more reading I've done, it does seem this is one of only two options, the other enabling the "allow Azure resources to access this resource", which certainly checks the box for simple but not the secure one. If there are other options I'm unaware of, I'd love to hear them, but for now we'll pursue one of these. Thanks again!
Sorry, I don't know any other way.