Advice on Narrowing IP Ranges for Azure Data Factory Integration with External SQL Server

Anthony Jennings 0 Reputation points
2024-09-24T16:22:37.7+00:00

Hello Azure Community,

I’m currently working with a client who is integrating their Azure Data Factory (ADF) environment with an external SQL Server hosted by a third-party provider. The goal is to set up secure communication between ADF and the SQL Server, but we've encountered a challenge with the broad range of public IP addresses that need to be whitelisted on the SQL Server side.

The client is trying to keep their cloud footprint small and cost-effective as their internal team has limited technical expertise, making it difficult to manage complex Azure setups like Self-Hosted Integration Runtimes (SHIR) and virtual machines. Ideally, we would like to avoid using a VM and SHIR due to the added costs and complexity.

We provided the IP addresses associated with ADF in the Central US region, but the provider felt that the range of IPs was too broad to whitelist securely. Here are the IP ranges we initially provided:

[moderator: redacted]

Given that, I’m wondering if anyone has suggestions for narrowing down the range of IP addresses or any alternative ways to connect Azure Data Factory to an external SQL Server in a more cost-effective and manageable way. Ideally, we would prefer to avoid the complexity of a VM if possible, but security is also a top priority for the client.

I would greatly appreciate any guidance or advice from those who have faced a similar issue or know of a better solution for reducing the number of IPs needed for secure whitelisting.

Thank you in advance!

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,656 questions
SQL Server | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Nandan Hegde 36,156 Reputation points MVP Volunteer Moderator
    2024-09-25T02:22:16.5766667+00:00

    Unfortunately, in case if you are using Azure IR; you would need to whitelist all IPs of the region in which the ADF is hosted because MSFT might assign any IP to that specific run. There is no way for us to restrict the range ourselves and it changes on an yearly basis (minor changes if any)

    If you want a static IP, then self hosted IR is the only way forward by setting up a VM.

    Note : You can also create private endpoint but that would be more costly than a Self IR

    https://learn.microsoft.com/en-us/azure/data-factory/tutorial-managed-virtual-network-on-premise-sql-server


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.