I'm dealing with an issue where my Azure Data Factory (ADF) instance is sending traffic to an FTP server, but I'm seeing some of the IPs originate from regions outside the U.S., like the UK. We have Network Security Group (NSG) rules set up to allow traffic from ADF using various Service Tags, specifically for U.S. regions, but even after adding multiple Service Tags, the traffic is still not getting through. To fix it, we had to allow traffic from the broad 'AzureCloud' tag, which isn't ideal since it's too wide of a net. I'm curious why the ADF traffic wouldn't just come from the expected U.S. IPs covered by our specified DataFactory Service Tags. Any insights?
1 Answer
It seems like you're using the AutoResolveIntegrationRuntime for ADF, which can pick up resources from multiple regions. If you want traffic strictly from a specific area, consider setting up a regional Azure Hosted Integration Runtime instead. Here's a detailed article that explains the difference: https://asankap.wordpress.com/2021/10/26/why-you-shouldnt-use-auto-resolve-integration-runtime-in-azure-data-factory-or-synapse/.
Great article - thanks! We initially chose Auto IR because we don't have many jobs, so it seemed like the easiest option. Do you know which Service Tags Auto IR might be coming from? Or would we need to cover all regions if we continue with Auto IR?