Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

The ultimate Microsoft Fabric, Power BI, Azure AI & SQL learning event! Join us in Las Vegas from March 26-28, 2024. Use code MSCUST for a $100 discount. Register Now

Documentation of Required DateGateway IP Ranges for Login, Management and Proper functionality.

So all posts I have read state to run the Network conectivity test for the PowerBI Gateway to obtain the required IPs for the gateway to function properly but these Ports/IPs are only for the gateway to talk to the Service Bus.  I have a data gateway server sitting on a private network and all outbound traffic is natted through a firewall. Opening the FW to my regions Service Bus is not enough to manage, share or login to the gateway.  If I only allow traffic out of the network for Service Bus I am unable to see the Gateways online/offline status in the cloudmanagement portal, unable to share the gateway and unable to sign in on the Gateway locally.  My gateway is installed in EastUS2 region and so far I have had to open outgoing FW on 443 to the following service tags.  AzureCloud.EastUS2, Azure.PowerBI, AzureActiveDirectory  The only thing broken now is the Sign in of the On-Premise date gateway,  Running Wireshark while trying to login shows it trying to connect to IPs that do not have Reverse DNS configured and are not in the Azure Range of IPs as listed here  Home Page - Azure IP Ranges 

Does anyone know the IP ranges required for proper operation and management of the PowerBI DataGateway that allows Sign-In to On-Premise data gateway, Online/Offline Status in the cloud, and Sharing with other users?  

Status: Investigating

Hi @Stick0311,

 

The gateway relies on Azure Service Bus for cloud connectivity. The gateway doesn’t need inbound ports and it establish outbound connections to its associated Azure region.  To make the connection successfully, it’s recommended that you allow the “*.servicebus.windows.net” Domain Name System(DNS). Alternately, you can allow the IP addresses for your data region in your firewall as well. For more details, you can refer to Adjust communication settings for the on-premises data gateway | Microsoft Docs.

 

Best Regards,

Community Support Team _ Caiyun

Comments
v-cazheng-msft
Community Support
Status changed to: Investigating

Hi @Stick0311,

 

The gateway relies on Azure Service Bus for cloud connectivity. The gateway doesn’t need inbound ports and it establish outbound connections to its associated Azure region.  To make the connection successfully, it’s recommended that you allow the “*.servicebus.windows.net” Domain Name System(DNS). Alternately, you can allow the IP addresses for your data region in your firewall as well. For more details, you can refer to Adjust communication settings for the on-premises data gateway | Microsoft Docs.

 

Best Regards,

Community Support Team _ Caiyun

Stick0311
New Member

Yes, I have read the documentation but I have one issue. Our ASA Firewall can't do FQDN outbound rules.  If one were to allow only the Netwrok test IPs in an outbound rule then the reporting of online/offline status, Gateway sharing and local login will not work. 

I have managed to figure out the proper service tags and networks that are required for outbound communication. 

 

For a gateway instaled in the EastUS2 Region

CDN (Content Delivery Network)
173.222.0.0/15
152.192.0.0/13
152.176.0.0/12


AzureActiveDirectory
PowerBI
AzureCloud.EastUS2

AzureFrontDoor.frontend

 

I have verified, allowing outbound access to the above Service Tag IP subnets and the Content delivery networks allows for full functionality of the gateway,  Management, Sharing and online/offline reporting status in cloud management