A vital security goal of an organization is to protect their data stores from random access over the internet, may it be an on-premise or a Cloud/ SaaS data store.
Typically a cloud data store controls access using the below mechanisms:
With the introduction of Static IP address range, you can now whitelist IP ranges for the particular Azure integration runtime region to ensure you don’t have to allow all Azure IP addresses in your cloud data stores. This way, you can restrict the IP addresses that are permitted to access the data stores.
Note: The IP address ranges are blocked for Azure integration runtime and is currently only used for Data Movement, pipeline and external activities. Dataflows now do not use these IP ranges. If you use Azure-SSIS integration runtime, you can bring your own static public IP addresses (BYOIP) to allow in your firewall rules, see this blog.
Though this should work in many scenarios, we do understand that a unique Static IP address per integration runtime would be desirable, but this wouldn't be possible using Azure Integration Runtime currently, which is serverless. If required, you can always set up a Self-hosted Integration Runtime and use your Static IP with it.
*Applicable only when Azure Data Explorer is VNet injected, and IP range can be applied on NSG/ Firewall.
See the following related articles for more details:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.