Introduction

As organizations increasingly adopt Microsoft Fabric for their data and analytics workloads, many are also tightening their security posture—especially around GitHub Enterprise Cloud. A common practice is enabling firewall settings to restrict access to only known public IPs.

However, Microsoft Fabric, being a SaaS platform deployed across multiple regions, uses dynamic, region-specific IPs. While Fabric supports Azure service tags, these tags cannot currently be used within GitHub’s firewall configuration, creating a gap in secure integration.

This blog introduces a custom solution that addresses this challenge by automatically updating GitHub’s IP allow list based on the Fabric tenant’s regional IPs. The solution is available at GitHub Repo and leverages GraphQL to interact with GitHub’s API. 

⚠️ Note: This project is independently developed and provided as-is for the Fabric community. It is not maintained or supported by Microsoft. 

Image 1 – current situation when GitHub Enterprise Cloud configures with IP allow list 

Image 2 – GitHub Enterprise Cloud – IP allow list configuration (GitHub based) 

The Problem

When customers enable firewall restrictions in GitHub Enterprise Cloud (GitHub based), they must specify which public IPs are allowed to interact with their instance. Fabric’s distributed nature means its IPs vary by region and can change over time. 

While Microsoft Fabric supports Azure service tags to simplify IP management, GitHub does not currently support these tags in its firewall configuration. This limitation creates a friction point for automation and secure integration between Fabric and GitHub.  

Without a dynamic update mechanism, customers risk blocking Fabric Git Integration from accessing GitHub—potentially breaking CI/CD pipelines and other critical workflows. 

The Solution

To solve this, I developed a custom solution which: 

1. Fetches the corresponding public IPs used by Fabric based on require region (user's Fabric home tenant region)
2. Uses GitHub’s GraphQL API to update the IP allow list dynamically. 

This ensures that GitHub remains accessible to Fabric Git Integration without manual intervention.

The automation is designed to be both efficient and safe. It compares the current GitHub IP allow list with the latest Fabric regional IPs and only makes changes if there are differences - adding new IPs or removing outdated ones as needed. If no changes are detected, the script exits without making any modifications. 

Additionally, a ‘dry-mode’ option is available. This mode lets you simulate the update process, showing exactly what would be changed, but without actually modifying your GitHub settings. This feature is ideal for validation and gives administrators confidence before applying updates in production.

Flexible Deployment Options 

There are several ways to deploy the solution, depending on your organization’s policies and security requirements: 

Option 1: Use the Pre-built Docker Image 

1. Download the Docker image hosted in GitHub Packages  (ghcr.io/yaronpri/fabric-ipallowlist-updater:latest)
2. Host the container on your preferred hosting environment for running containers (make sure the network has access to your GitHub Enterprise Cloud instance), following the instructions in the repository

Option 2: Build Your Own Docker Image

1. Fork the repository to your organization’s GitHub account
2. Compile a new Docker image using your company’s approved base images and build process
3. Deploy and run the container according to your internal guidelines

Option 3: Run as a Python Program 

1. Fork and clone the repository to your environment
2. Scan the code using your organization’s security tools
3. Run the program directly with Python, following the provided instructions

Conclusion 

This custom solution streamlines secure integration between Microsoft Fabric and GitHub Enterprise Cloud by dynamically managing IP allow lists—only making changes when needed, and offering a safe dry-mode for validation. Choose the deployment method that best fits your organization, and keep your workflows both secure and seamless.