NAT Gateway for Managed VNet IR

Question

NAT Gateway for Managed VNet IR

Amrale, Siddhesh 40

How can I make Azure Managed VNet IR to make requests through a static public I.P?

I want to pull data from 'xyz.com/books' api. This API provider doesn't allow requests from everyone. They only allow requests from IPs which are whitelisted. I have created a pipeline in data factory and I am trying to pull data from this API. To get this data I want to give this 3rd party API provider some public ip that they can whitelist. I don't want to manage VMs. So, I prefer not to use it. I prefer whatever requests this Azure provided IR does goes through a single whitelisted public ip (which I will give to 3rd party). So, I can get the data

I don't want to create and manage VM's and neither I want to whitelist entire microsoft range of public ips.

Any Solutions ?

Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-02-11T07:01:09.58+00:00
Hi @Amrale, Siddhesh

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I am afraid I did not understand your requirement.

From your verbatim,

You have a Azure Data Factory managed virtual network.

And you created a integration runtime Pipeline.

You want the pipeline to make outbound connections to a Function App via a static Public IP.

Analysis,

However, I am not sure why you are mentioning the use of a NAT Gateway and Private Endpoint for a single use case.

One makes call via Internet and the other uses private traffic.

Moreover,

I am not sure how you are making use of a NAT Gateway with a Managed VNET

If you want to make a connection between your AFD and Azure Functions (Premium plan), you can make use of native private endpoint support

NOTE : The connection does not use a Public EndPoint and thus there is no Public IP in place.

i.e., No need for a NAT Gateway

Also see : Azure Integration Runtime IP addresses

Azure Integration Runtime which enable Managed Virtual Network, and all data flows don't support the use of fixed IP ranges.

You can follow: Managed private endpoints

Kindly let us know if the above helps or you need further assistance on this issue.
Amrale, Siddhesh 40 Reputation points

2025-02-11T15:04:41.2033333+00:00

Let me rephrase my problem.

I want to pull data from 'xyz.com/books' api. This API provider doesn't allow requests from everyone. They only allow requests from IPs which are whitelisted.
I have created a pipeline in data factory and I am trying to pull data from this API. To get this data I want to give this 3rd party API provider some public ip that they can whitelist.
I don't want to manage VMs. So, I prefer not to use it. I prefer whatever requests this Azure provided IR does goes through a single whitelisted public ip (which I will give to 3rd party). So, I can get the data. @Sai Prasanna Sinde @Vinodh247
Anonymous

2025-02-12T06:29:34.84+00:00

Hello @Amrale, Siddhesh,

Thanks for reaching out to Microsoft Q&A.

As per this Documentation,

As all ports are opened for outbound communications, we cannot control the outbound traffic from the ADF IR to function app as its not consistent. As you don't want to use Self-hosted IR within your network or in your VM with a statis public IP, you can follow the below workaround by allowing the traffic from the IP addresses listed for the Azure Integration runtime in the specific Azure region where your resources are located. Based on the region of your ADF, you can get the IP range list. Please go through this Documentation to know more about the same.

Kindly let us know if the above helps or you need further assistance on this issue.
Anonymous

2025-02-13T02:56:44.3766667+00:00

Hello @Amrale, Siddhesh,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2025-02-17T09:36:09.1033333+00:00

Hi Amrale, Siddhesh,

Just following up to see if the below answer helped . Kindly accept the answer by clicking on Accept answer button. Thankyou
Amrale, Siddhesh 40 Reputation points

2025-02-18T20:03:47.9533333+00:00

@Anonymous Hey Rakesh!
I am trying to find a workaround for it.
So, In data factory instead of calling 3rd party api directly. I am trying to send request to my api management service. This api management service is in the vnet. So, I will send request from data factory to api management service and then api management service will send request to third party.
But still it is not working. It is giving me 500 internal error.

Accepted answer

1 additional answer

Your answer

Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-02-11T07:01:09.58+00:00

Hi @Amrale, Siddhesh

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I am afraid I did not understand your requirement.

From your verbatim,

You have a Azure Data Factory managed virtual network.

And you created a integration runtime Pipeline.

You want the pipeline to make outbound connections to a Function App via a static Public IP.

Analysis,

However, I am not sure why you are mentioning the use of a NAT Gateway and Private Endpoint for a single use case.

One makes call via Internet and the other uses private traffic.

Moreover,

I am not sure how you are making use of a NAT Gateway with a Managed VNET

If you want to make a connection between your AFD and Azure Functions (Premium plan), you can make use of native private endpoint support

NOTE : The connection does not use a Public EndPoint and thus there is no Public IP in place.

i.e., No need for a NAT Gateway

Also see : Azure Integration Runtime IP addresses

Azure Integration Runtime which enable Managed Virtual Network, and all data flows don't support the use of fixed IP ranges.

You can follow: Managed private endpoints

Kindly let us know if the above helps or you need further assistance on this issue.
Amrale, Siddhesh 40 Reputation points

2025-02-11T15:04:41.2033333+00:00

Let me rephrase my problem.

I want to pull data from 'xyz.com/books' api. This API provider doesn't allow requests from everyone. They only allow requests from IPs which are whitelisted.
I have created a pipeline in data factory and I am trying to pull data from this API. To get this data I want to give this 3rd party API provider some public ip that they can whitelist.
I don't want to manage VMs. So, I prefer not to use it. I prefer whatever requests this Azure provided IR does goes through a single whitelisted public ip (which I will give to 3rd party). So, I can get the data. @Sai Prasanna Sinde @Vinodh247
Anonymous

2025-02-12T06:29:34.84+00:00

Hello @Amrale, Siddhesh,

Thanks for reaching out to Microsoft Q&A.

As per this Documentation,

As all ports are opened for outbound communications, we cannot control the outbound traffic from the ADF IR to function app as its not consistent. As you don't want to use Self-hosted IR within your network or in your VM with a statis public IP, you can follow the below workaround by allowing the traffic from the IP addresses listed for the Azure Integration runtime in the specific Azure region where your resources are located. Based on the region of your ADF, you can get the IP range list. Please go through this Documentation to know more about the same.

Kindly let us know if the above helps or you need further assistance on this issue.
Anonymous

2025-02-13T02:56:44.3766667+00:00

Hello @Amrale, Siddhesh,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2025-02-17T09:36:09.1033333+00:00

Hi Amrale, Siddhesh,

Just following up to see if the below answer helped . Kindly accept the answer by clicking on Accept answer button. Thankyou
Amrale, Siddhesh 40 Reputation points

2025-02-18T20:03:47.9533333+00:00

@Anonymous Hey Rakesh!
I am trying to find a workaround for it.
So, In data factory instead of calling 3rd party api directly. I am trying to send request to my api management service. This api management service is in the vnet. So, I will send request from data factory to api management service and then api management service will send request to third party.
But still it is not working. It is giving me 500 internal error.

Answer 1

AnnuKumari-MSFT 34,556 Microsoft Employee Moderator

Hi Amrale, Siddhesh,

I understand that NAT Gateway essentially allows you to do Network Address Translation for any Virtual Networks or Subnets in your Azure Infrastructure. You can deploy the NAT Gateway, then configure it with a Public IP Address or a Public IP Prefix, and link it to your Subnet. However, even with a NAT Gateway, you cannot link Azure Integration Runtimes to a Public IP Address.

Try the below workaround :

Deploy Azure VM
- Create one Azure VM per Data Factory (for three environments).
- Place each VM in a subnet with restrictive Network Security Group (NSG) rules to limit internet access.
Configure NAT Gateway
- Deploy a NAT Gateway with a single public IP address (instead of a public IP address prefix).
- Link the subnet to the NAT Gateway.
Set Up Integration Runtime
- Install the self hosted Integration Runtime package on the VM.
- Create the Integration Runtime in the ADF portal.
- Use the generated authentication key to link the Integration Runtime software on the VM with the Integration Runtime in ADF.
Verify Public IP Address
- Run an API query from an ADF pipeline (e.g., using IPify) to check the public IP address.
- Open a webpage on the VM and visit a public IP lookup site to confirm the NAT Gateway-assigned IP address.
Note: You need all your ADF Pipelines to run on the Shared Integration Runtime you deploy in order for this to work.

Kindly check the following article to get more details on the implementation: https://medium.com/@petrutbelingher/exposing-azure-data-factory-through-controllable-ip-addresses-eac20eb07adb

Unfortunately, you cant get one static public IP address without creating VM and hosting IR there.

Hope it helps. Kindly accept the answer by clicking on Accept answer button . Thankyou

Amrale, Siddhesh 40 Reputation points

2025-02-18T20:00:10.4266667+00:00

I have mentioned that I don't want to create and manage VMs
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2025-02-19T18:51:00.9366667+00:00

Hi Amrale, Siddhesh,

Unfortunately, it is not possible to assign a static IP address directly to the Managed VNet IR.

Either you need to create and manage VM and use SHIR to use static IP address, or you may try to achieve similar outcome by using service tags.

Service tags are labels that represent a group of IP address ranges associated with a specific Azure service. By using service tags, you can simplify your network security rules and ensure that your outbound traffic is routed through a consistent set of IP addresses.

You might need to check if the 3rd party API you are trying to hit allows to whitelist service tag instead of fixed IP address or not.

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Hope it helps. Kindly accept the answer by clicking on Accept answer button. Thankyou.
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2025-02-20T15:30:18.2533333+00:00

Hi Amrale, Siddhesh,

Did you get a chance to check the previous response. Kindly accept the answer if it helped. Thankyou
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2025-02-27T07:28:02.3166667+00:00

Hi Amrale, Siddhesh,

Just checking if the above answer helped. In case it helped, kindly accept the answer by clicking on Accept answer button. Thankyou

Answer 2

Hi ,

Thanks for reaching out to Microsoft Q&A.

Your issue is that adf's managed VNet IR does not natively support routing outbound traffic through a NAT Gateway. Instead, Managed VNet IR uses a set of Microsoft-managed outbound IPs that can dynamically change.

Probable Options to try:

Use Azure Firewall with NAT Rule (Recommended)

Since Managed VNet IR cannot directly use a NAT Gateway, the best approach is to introduce Azure Firewall in your Virtual Network. You can configure Azure Firewall to have a static public IP and use NAT rules to route outbound traffic through this static IP.

Steps to Implement:

Deploy Azure Firewall in the same VNet as your Managed VNet IR.
Assign a static public IP (ex: 20.75.234.9) to the firewall.
Configure a UDR (User-Defined Route) on the subnet where the Managed VNet IR is deployed:
- Set the next hop to Azure Firewall for outbound traffic.
1. Create NAT Rules in Azure Firewall to translate outbound traffic to your static public IP.
2. Whitelist the static public IP (20.75.234.9) in your Function App.

This setup ensures that all outbound requests from the Managed VNet IR go through Azure Firewall and appear from your static IP.

Use a Selfhosted Integration Runtime

If you want to avoid an Azure Firewall setup, an alternative is to deploy a SHIR inside an Azure VM with a NAT Gateway. However, since you do not want to manage VMs, this might not be ideal.

Why NAT gateway Alone dont work?

Managed VNet IR traffic does not use your NAT Gateway for outbound internet requests. Instead, it uses Microsoft's predefined IP ranges, which are not customizable. This is why your Function App sees requests coming from an unexpected IP.

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Share via

NAT Gateway for Managed VNet IR

1 additional answer

Your answer