Unable to setup a connection in ADF with SA despite whitelisting the IP of SHIR

11-4688 131 Reputation points
2024-06-24T15:49:36.65+00:00

Hello.

I am having some issues with connecting to Storage Account from ADF.

My current setup:

  1. Azure Data Factory
  2. Virtual Network
  3. Static Public IP Address
  4. Azure Windows Server 2019 VM with Self-Hosted Integration Runtime installed and Public IP from 3
  5. Storage Account with the Enabled from selected virtual networks option and IP addresses selected and my Local IP address AND IP from 3

Unfortunately I am not able to add the SA as a linked service, somehow the SA Whitelist cannot accept the SHIR IP:

User's image

User's image

User's image

I have no idea what am I doing wrong here and would really appreciate some help.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,935 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,179 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Nehruji R 4,691 Reputation points Microsoft Vendor
    2024-06-25T06:49:10.13+00:00

    Hello 11-4688,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand the issue you’re facing with connecting to your Storage Account (SA) from Azure Data Factory (ADF). Please consider checking the below steps to troubleshoot the issue further.

    This request is not authorized to perform this operation - the error message is due to authentication failure when trying to access a resource. Please check the service principal or identity you’re using has the necessary permissions. Specifically, make sure it has the ‘Storage Blob Data Contributor’ role assigned. You can do this in the Azure Portal by going to your Storage Account, selecting “Access Control (IAM),” refer similar thread for reference - https://stackoverflow.com/questions/73388655/status-403-this-request-is-not-authorized-to-perform-this-operation-using-this.

    The issue may be your ADF is not in the same Vnet as the storage account. If you enable "enabled from selected virtual networks and IP addresses" and configured firewall (not using Vnet) then you can enable "Allow Azure services on the trusted services list to access this storage account." to access the storage account via ADF. Please see the below blog for more details.

    https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure/ba-p/964993

    Also please make sure your client's public IP address is allowed. In other words, you need to have the public IP address of the client PC you are using to access the Azure Portal. If you don't you will receive an error.

    "Allow Azure services on the trusted services list to access this storage account." works only when you configured the firewall refer - https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-storage-firewall-issues/ba-p/1944730

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. Pinaki Ghatak 3,260 Reputation points Microsoft Employee
    2024-07-01T08:53:22.5966667+00:00

    Hello @11-4688

    Based on the screenshots you provided, it looks like the IP address of your Self-Hosted Integration Runtime is not being accepted by the Storage Account firewall. Here are some steps you can follow to troubleshoot this issue:

    1. Check if the IP address of your Self-Hosted Integration Runtime is correct. You can find the IP address of your Self-Hosted Integration Runtime by going to the VM where it is installed and running the command ipconfig in the command prompt.
    2. Check if the IP address of your Self-Hosted Integration Runtime is added to the allowed IP addresses in the Storage Account firewall. You can do this by going to the Storage Account in the Azure portal, selecting "Firewalls and virtual networks" from the left-hand menu, and then adding the IP address of your Self-Hosted Integration Runtime to the list of allowed IP addresses.
    3. Check if the virtual network that your Self-Hosted Integration Runtime is connected to is added to the allowed virtual networks in the Storage Account firewall. You can do this by going to the Storage Account in the Azure portal, selecting "Firewalls and virtual networks" from the left-hand menu, and then adding the virtual network that your Self-Hosted Integration Runtime is connected to the list of allowed virtual networks.
    4. Check if the "Allow access from" option in the Storage Account firewall is set to "Selected networks". If it is set to "All networks", then the firewall will not be able to restrict access to the Storage Account based on IP addresses or virtual networks.

    That should get you started to solve this problem


    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments No comments