Azure SSIS IR - CustomSetupScriptBlobContainerInaccessible - Cannot access your Azure blob container for custom setup

Question

We are migrating SSIS packages to Azure and need 3rd party software to run on the Azure SSIS IR.

To accomplish this we performed the following steps:

• created an Azure SSIS IR in ADF
• created a storage account
• added the ADF MSI as Storage Blob Contributor to the storage account
• created a container
• created a SAS URI on the container with sufficient permissions
• uploaded 3rd pary software + main.cmd to the container

The network configuration of the storage account is set to:

Public network access
Enabled from selected virtual networks and IP addresses

Specify resource instances that will have access to your storage account based on their system-assigned managed identity
Microsoft.Datafactory/factories (name of the ADF in which the Azure SSIS IR runs)
Microsoft.Sql/Servers (name of the Azure SQL Server which hosts the SSISDB)

Exceptions
Allow Azure services on the trusted services list to access this storage account.

Network routing
Microsoft network routing

Publish route-specific endpoints
Microsoft network routing

The following error occurs when starting the Azure SSIS IR:

Error 1: Last operation 'Start' get the status 'Failed'. Error code: CustomSetupScriptFailure Error message: Your Azure-SSIS IR has failed to start due to custom setup failure. Details: [{"Code":"CustomSetupScriptBlobContainerInaccessible","NodeNumber":1,"Message":"Cannot access your Azure blob container for custom setup."}]. For more details, please refer to https://go.microsoft.com/fwlink/?linkid=2099434.

The issue disappears after changing the public network access to: enabled from all networks and the Azure SSIS IR starts successfully. Seems that the IP addresses of the temporarily created Virtual Machines running the SSIS IR are not whitelisted on the firewall off the storage account?

What should be done to solve this?

Answer 1

@Wielen, Marc van der That's correct, presently VNET is required when you want to bring your own public static IP as well . https://learn.microsoft.com/en-us/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network
It appears that the only methods to achieve the aforementioned goal are either by connecting to a VNET or by enabling public network access to the storage account.

If you wish you can leave your feedback here. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hello Wielen, Marc van der,

Greetings! Welcome to Microsoft Q&A Platform.

The error message you’re encountering indicates that your Azure-SSIS IR (Integration Runtime) is failing to start due to a custom setup issue. Specifically, it cannot access your Azure blob container for custom setup. The issue might be related to firewall rules on your storage account. Since you mentioned that the issue disappears when changing public network access to “enabled from all networks,” it seems that the IP addresses of the temporarily created Virtual Machines (VMs) running the SSIS IR are not whitelisted.

To resolve this, consider joining your Azure-SSIS IR to a virtual network subnet and then adding the private IP address range of that subnet to the firewall’s allowlist for your storage account. This ensures that the VMs’ IP addresses are allowed through the firewall.

Network Configuration: Review the network configuration settings for your storage account:

Check if the system-assigned managed identity of your Azure-SSIS IR is correctly configured.

Ensure that the Microsoft.Datafactory/factories (ADF name) and Microsoft.Sql/Servers (Azure SQL Server hosting SSISDB) are correctly specified.

Verify that the trusted services list allows Azure services to access the storage account.

Custom Setup Container: Double-check the container name and ensure it matches the one specified in your SAS URI.Confirm that the container contains the necessary custom setup files (e.g., main.cmd and associated files).

Restart Azure-SSIS IR: After making any changes, stop the Azure-SSIS IR if it’s running. Reconfigure the IR with the new custom setup container SAS URI. Finally, restart the Azure-SSIS IR.

More details you may refer to https://learn.microsoft.com/en-us/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network, ssis-integration-runtime-management-troubleshoot, https://learn.microsoft.com/en-us/azure/data-factory/how-to-configure-azure-ssis-ir-custom-setup.

Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/702036/azure-ssis-ir-has-failed-to-start-due-to-custom-se, https://learn.microsoft.com/en-us/answers/questions/1256755/ip-address-whitelisting-in-azure-analysis-services

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

Thanks but according to the documentation a VNET is required when you want to bring your own public static IP as well . https://learn.microsoft.com/en-us/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network

Seems the only way to accomplish the above is either by joining a VNET or by allowing public network access to the storage account.