1
votes

I'm looking for some assistance in configuring an ADLS Gen2 which has the firewall enabled and is joined to a VNet so that I can connect to it from ADF.

If I add the IP addresses for the Azure IR to the storage firewall, without the adding the VNet, the linked service connection is successful, however, when I add the VNet to the storage, the connection test fails with the generic error message as if the firewall is blocking the connection.

I have also tried adding the Azure IR IP addresses / DataFactory service tag to the NSG as an inbound rule but this makes no difference, the connection still fails.

Any suggestions?

Thanks

1

1 Answers

1
votes

If you add the VNets to the firewall of the storage account, it means that you enable a Service endpoint for Azure Storage within the VNet, In this case, you are allowed access storage only from specific subnets.

Currently, Data Factory is now a Trusted Service exceptions in the Azure Storage firewall. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage without having to be inside the same virtual network or requiring you to allow all inbound connections to the service.

Steps to connect to Azure Storage (using Azure blob or Azure Data lake Gen2 linked service) as ‘Trusted Service’ from this blog.

  1. Grant Data Factory’s Managed identity access to read data in storage’s access control. For more detailed instructions, please refer this.
  2. Create the linked service using Managed identities for Azure resources authentication
  3. Modify the firewall settings in Azure Storage account to select ‘Allow trusted Microsoft Services…’.

For more references: https://towardsdatascience.com/how-to-secure-your-azure-data-factory-pipeline-e2450502cd43