Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.
There are numerous posts on this forum about how to connect to Azure Storage when there is a firewall present. Here are some examples:
In all cases, a Microsoft representative recommends to "whitelist the IP address of the Power BI Service." This is not a reasonable answer. For one, the link being referenced is being deprecated in a couple of months (June 2020). Second of all, the referenced list of IPs is at the data center level, and accounts for thousands of IP blocks. An Azure Storage account can only support 100 IP rules in a firewall.
Either I am completely missing something, which is certainly possible, or this is a gap in Power BI Service. If I am not missing something: what is the correct way to use the Power BI Service with a secured Azure Storage account?
Solved! Go to Solution.
Once again, having to configure 300 rules is a non-starter because Azure Storage only accepts 100 IP ranges on a whitelist.
To close the loop on this, we have resorted to using an On Premise Data Gateway, which connects to Storage through the new Private Link service. It would be very helpful for the Power BI Service team to prioritize making Power BI Service a member of "Trusted Microsoft Azure services" so that this workaround is not necessary. Having to add an On Premise Data Gateway introduces a server into an otherwise serverless architecture. This server is one of the most expensive components of our solution and adds little value.
2 years later... Has anything been done to be able to use Storage with PowerBI securely or we are still in Beta?
I don't believe you have to list each IP address individually, you an do ranges.
Yes, this is correct. The IPs are presented as CIDR blocks in the referenced file and there are about 3000 of them in total and in some situations over 100 in a datacenter.
Hi @phetzel1 ,
Try the reference below:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
I have read through this documentation many times.
What is Microsoft's guidance when accessing a locked down Storage environment in Azure via Power BI? Is it an on-premise data gateway?
Hi @phetzel1 ,
Best Regards,
Kelly
Did I answer your question? Mark my post as a solution!
I feel like this is on the right track but unfortunately the list that you've referenced has greater than 100 IP address ranges for Service Bus. Azure Storage is only able to contain up to 100 IP address range exceptions. This is not a workable solution because we would have to leave out about 30 of the listed IP address ranges, not to mention we would not have any room to whitelist our analysts who want to connect to Azure Storage via Power BI Desktop.
What is the Microsoft recommended approach to view data in a secured Azure Storage account through the Power BI Service?
Hi @phetzel1 ,
See details in the document of public I shared with you,find "ServiceBus.XXX",it is separated by region..About from the line 23000.
Based on your reply, I:
When I attempted to create a refresh schedule for the dataset, based on both Oauth and Account Key authentication, I received this error message
I then temporarily turned the Storage firewall off and successfully gained access through Account Key authorization. This tells me that my authentication/authorization credentials are correct but I am still running into the same issue as before. I also added the IP Address ranges for Power Query Online in East US 2 without success. What is the Microsoft recommended approach to accessing a secured Storage account via Power BI Service?
Hi @phetzel1 ,
Refer to the IP list used by service.Choose IP 33544-33873 in AzureCloud.eastus2,which you only need to configure about 300 rules.
But if available,you'd better use gateway,which you only need to configure some firewall rules in outbound port of the gateway machine,then configure the rules in ADLS2.
Here is the reference.
Once again, having to configure 300 rules is a non-starter because Azure Storage only accepts 100 IP ranges on a whitelist.
To close the loop on this, we have resorted to using an On Premise Data Gateway, which connects to Storage through the new Private Link service. It would be very helpful for the Power BI Service team to prioritize making Power BI Service a member of "Trusted Microsoft Azure services" so that this workaround is not necessary. Having to add an On Premise Data Gateway introduces a server into an otherwise serverless architecture. This server is one of the most expensive components of our solution and adds little value.