Workspaces - Set Firewall Rules
Sets the IP firewall rules for the workspace. This API enables workspace administrators to set IP firewall rules that control which IP addresses are to be allowed to connect to the workspace. This feature is currently in preview.
Note
This API is part of a Preview release and is provided for evaluation and development purposes only. It may change based on feedback and is not recommended for production use.
Note
Firewall rules are only enforced if the workspace’s network communication policy has inbound.publicAccessRules.defaultAction set to Deny. If public access is not blocked on workspace, API calls to this workspace will not be restricted.
Note
This API uses the PUT method and will overwrite all IP firewall rules for the workspace. Always run Get first and provide all IP firewall rules in the request body.
Permissions
The caller must have admin workspace role.
Required Delegated Scopes
Workspace.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support |
|---|---|
| User | Yes |
| Service principal and Managed identities | Yes |
Interface
PUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/networking/communicationPolicy/inbound/firewallURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
workspace
|
path | True |
string (uuid) |
Unique identifier of the workspace to update. |
Request Body
| Name | Type | Description |
|---|---|---|
| rules |
A list of rules that define IP addresses permitted for inbound access. Each rule may include a name and a single IP address, an IP address range, or a CIDR IP address. A maximum of 256 rules can be specified per workspace. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Request completed successfully and has no content in the response body. Headers: ETag |
|
| 429 Too Many Requests |
The service rate limit was exceeded. The server returns a Headers Retry-After: integer |
|
| Other Status Codes |
Common error codes:
|
Examples
Example for setting workspace firewall rules
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/47482db6-4583-4672-86dd-999d0f8f4d7a/networking/communicationPolicy/inbound/firewall
{
"rules": [
{
"displayName": "SingleIPAddressRule",
"value": "12.34.56.78"
},
{
"displayName": "IPAddressRangeRule",
"value": "12.34.56.78-12.34.56.89"
},
{
"displayName": "CidrIPAddressRule",
"value": "12.34.56.0/24"
}
]
}
Sample response
ETag: 0f8fad5b-d9cb-469f-a165-70867728950eDefinitions
| Name | Description |
|---|---|
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Firewall |
Defines a firewall rule, identified by its name and containing a single IP address, an IP address range, or a CIDR IP address as its value. |
|
Inbound |
This object defines the complete set of firewall rules to manage inbound access protection as part of a workspace’s networking communication policy. It ensures that only explicitly authorized IP addresses are permitted for inbound communication. When submitted via the PUT API, this object creates or fully replaces the existing IP firewall configuration for the workspace. These rules are enforced only when the workspace’s network communication policy has inbound.publicAccessRules.defaultAction set to Deny. |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| isRetriable |
boolean |
When true, the request can be retried. Use the |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string (uuid) |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
FirewallRule
Defines a firewall rule, identified by its name and containing a single IP address, an IP address range, or a CIDR IP address as its value.
| Name | Type | Description |
|---|---|---|
| displayName |
string |
Specifies the name of the rule. Display names can be up to 128 characters in length and are required to be unique per workspace. |
| value |
string |
Specifies the value of the rule, specified as a single IP address, an IP address range, or a CIDR IP address. |
InboundFirewallConfiguration
This object defines the complete set of firewall rules to manage inbound access protection as part of a workspace’s networking communication policy. It ensures that only explicitly authorized IP addresses are permitted for inbound communication. When submitted via the PUT API, this object creates or fully replaces the existing IP firewall configuration for the workspace. These rules are enforced only when the workspace’s network communication policy has inbound.publicAccessRules.defaultAction set to Deny.
| Name | Type | Description |
|---|---|---|
| rules |
A list of rules that define IP addresses permitted for inbound access. Each rule may include a name and a single IP address, an IP address range, or a CIDR IP address. A maximum of 256 rules can be specified per workspace. |