Azure Data Factory now supports Static IP address ranges

Published 01-20-2020 02:03 AM 25K Views

A vital security goal of an organization is to protect their data stores from random access over the internet, may it be an on-premise or a Cloud/ SaaS data store. 


Typically a cloud data store controls access using the below mechanisms:

  1. Firewall rules that limit connectivity by IP address
  2. Authentication mechanisms that require users to prove their identity
  3. Authorization mechanisms that restrict users to specific actions and data


With the introduction of Static IP address range, you can now whitelist IP ranges for the particular Azure integration runtime region to ensure you don’t have to allow all Azure IP addresses in your cloud data stores. This way, you can restrict the IP addresses that are permitted to access the data stores.


Note: The IP address ranges are blocked for Azure integration runtime and is currently only used for Data Movement, pipeline and external activities. Dataflows now do not use these IP ranges.  If you use Azure-SSIS integration runtime, you can bring your own static public IP addresses (BYOIP) to allow in your firewall rules, see this blog.


Though this should work in many scenarios, we do understand that a unique Static IP address per integration runtime would be desirable, but this wouldn't be possible using Azure Integration Runtime currently, which is serverless. If required, you can always set up a Self-hosted Integration Runtime and use your Static IP with it. 


Summarizing data access strategies through Azure Data Factory

  1. Trusted Service - Azure Storage (Blob, ADLS Gen2) supports firewall configuration that enables select trusted Azure platform services to access the storage account securely. Trusted Services enforces Managed Identity authentication, which ensures no other data factory can connect to this storage unless whitelisted to do so using it's managed identity. You can find more details in this blog. Hence, this is extremely secure and recommended. 
  2. Unique Static IP - You will need to set up a self-hosted integration runtime to get a Static IP for Data Factory connectors. This mechanism ensures you can block access from all other IP addresses. If you use Azure-SSIS integration runtime, you can bring your own static public IP addresses (BYOIP) to allow in your firewall rules, see this blog.
  3. Static IP range - You can use Azure Integration Runtime's IP addresses to whitelist it in your storage (say S3, Salesforce, etc.). It certainly restricts IP addresses that can connect to the data stores but also relies on Authentication/ Authorization rules. 
  4. Service Tag - A service tag represents a group of IP address prefixes from a given Azure service (like Azure Data Factory). Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. It is useful when whitelisting data access on IaaS hosted data stores in Virtual Network.
  5. Allow Azure Services - Some services lets you allow all Azure services to connect to it in case you choose this option. 



*Applicable only when Azure Data Explorer is VNet injected, and IP range can be applied on NSG/ Firewall. 


Next Steps

See the following related articles for more details:


Senior Member


Great news. But still getting "Access Denied" error when trying to create Linked service for a West US2 "Azure FILE storage" even if we white listed West US2 static IPs. Can you please tell me if I am doing something wrong? Attaching images with "ADF error messeges", Azure file share firewall setting and Azure IR properties. PLease note the our Azure IR has "Auto resolve" region. Can that be an issue?

Need some urgent helpADF linked service for Azure File share.pngAzure file share storage firewall setting.pngAzure IR properties.png

Senior Member



Found out that ADF to Azure file share connectivity works after white listing Azure IR IPs to storage account and as per document "white listing IPs" will only work when ADF and Azure file share are in different region. As a bottom line, ADF will be able to connect Azure file share by white listing IPs ONLY when ADF and Azure file share are in different document. Please let me know if my understanding is wrong.


For reference:


Regular Visitor

Hi Abhishek,


How to workaround the problem of Dataflow not being able to be associated to a set of IP addresses?


‘Dataflowsnow do not use these IP ranges.’


@krishna3008 Very shortly we will be previewing 'Managed VNet' support, where in you would be able to use Private endpoint to connect to data stores securely from an ADF managed VNet. ETA early July. Both Data flows and Data movement would work with this approach. 

Occasional Visitor

Hi Abhishek,

Thanks for the article. I was wondering if I MUST HAVE public static IP address on my on-premise environment if I use the self-hosted integration runtime for ADF to create pipeline from on-premise to Azure environment.

Thank you for your response in advance.


Version history
Last update:
‎Feb 25 2020 01:28 AM
Updated by: