Add Azure hosted build agents IP addresses to Analysis Services Firewall rules

Geezer
June 24, 2022
251 views
1 vote
2 Answers

I’m getting the following error when running a cmdlet to refresh a table in AAS via Devops CI/CD deployment pipeline.

##[error]Cannot connect to server ‘xxx’. Client with IP Address ‘20.68.178.187’ is not allowed to access the server. To enable access,
use the Firewall settings in Azure Management Portal. It may take up
to 5 minutes for this change to take effect.

The IP is from a Azure hosted build agent.

Is there a way to enable all Azure IPs in AAS in the same way that can done for Azure SQL here?

The other issue is that whenever we make a change to the AAS instance, the firewall rules get refreshed so we don’t want to have to add the Azure IPs each time.

Answers

- DhanukaJayasinghe
- June 25, 2022 at 5:28 pm
- 0 votes
0
Azure Hosted Agents uses set of public IP addressess from Azure Data Centers. So, you won’t be having one fixed IP set for your Azure Pipeline Agents. Unless, it’s a self-hosted agent. Azure maintains a public list of IP addressess for their Azure Data Centers represent via a Service Tag. Instead specifying all public IP addresses, you can use these service tag in your Azure PaaS service firewall setting to allow traffic.

You can download the list from here. https://www.microsoft.com/en-us/download/details.aspx?id=56519

For example if your Azure DevOps organization is from US geography you can use all the AzureCloud.{usregion} service tags to restrict traffic.

Further readings: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#to-identify-the-possible-ip-ranges-for-microsoft-hosted-agents

Login or Signup to reply.

Based on your requirement, you can use the Azure PowerShell task in Pipeline to run the script to update the agent IP used for each run to the existing firewall rule.

Here are the steps:

Step1: Manully create a firewall rule in Analysis Services.

For example:

Step2: Create a .ps1 file in Azure repo with the following script:

[CmdletBinding()]
param(
    [Parameter(ValueFromPipeline = $true)][String] $ResourceName = "AnalysisServicesName",
    [Parameter(ValueFromPipeline = $true)][String] $ResourceGroup = "ResourceGroupName"
     )

#Setting additional parameters
$ExistingFirewallRuleName = "firewall rule name" 
$PubIPSource = "ipinfo.io/ip"

$AServiceServer = Get-AzAnalysisServicesServer -Name $ResourceName -ResourceGroupName $ResourceGroup
$FirewallRules = ($AServiceServer).FirewallConfig.FirewallRules
$FirewallRuleNameList = $FirewallRules.FirewallRuleName
$powerBi = ($AServiceServer).FirewallConfig.EnablePowerBIService

#Getting previous IP from firewall rule, and new public IP
$PreviousRuleIndex = [Array]::IndexOf($FirewallRuleNameList, $ExistingFirewallRuleName)
$currentIP = (Invoke-WebRequest -uri $PubIPSource -UseBasicParsing).content.TrimEnd()
$previousIP = ($FirewallRules).RangeStart[$PreviousRuleIndex]

#Updating rules if request is coming from new IP address.
if (!($currentIP -eq $previousIP)) {
    Write-Output "Updating Analysis Service firewall config"
    $ruleNumberIndex = 1
    $Rules = @() -as [System.Collections.Generic.List[Microsoft.Azure.Commands.AnalysisServices.Models.PsAzureAnalysisServicesFirewallRule]]

    #Storing Analysis Service firewall rules
    $FirewallRules | ForEach-Object {
        $ruleNumberVar = "rule" + "$ruleNumberIndex"
        #Exception of storage of firewall rule is made for the rule to be updated
        if (!($_.FirewallRuleName -match "$ExistingFirewallRuleName")) {

            $start = $_.RangeStart
            $end = $_.RangeEnd
            $tempRule = New-AzAnalysisServicesFirewallRule `
                -FirewallRuleName $_.FirewallRuleName `
                -RangeStart $start `
                -RangeEnd $end

            Set-Variable -Name "$ruleNumberVar" -Value $tempRule
            $Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))
            $ruleNumberIndex = $ruleNumberIndex + 1
        }
    }
    
    Write-Output $FirewallRules         #Write all FireWall Rules to Host

    #Add rule for new IP
    $updatedRule = New-AzAnalysisServicesFirewallRule `
        -FirewallRuleName "$ExistingFirewallRuleName" `
        -RangeStart $currentIP `
        -RangeEnd $currentIP
    
    $ruleNumberVar = "rule" + "$ruleNumberIndex"
    Set-Variable -Name "$ruleNumberVar" -Value $updatedRule
    $Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))

    #Creating Firewall config object
    if ($powerBi) {
            $conf = New-AzAnalysisServicesFirewallConfig -EnablePowerBiService -FirewallRule $Rules 
        }
    else {       
            $conf = New-AzAnalysisServicesFirewallConfig -FirewallRule $Rules 
        }
    
    #Setting firewall config
    if ([String]::IsNullOrEmpty($AServiceServer.BackupBlobContainerUri)) {
        $AServiceServer | Set-AzAnalysisServicesServer `
            -FirewallConfig $conf `
            -DisableBackup `
            -Sku $AServiceServer.Sku.Name.TrimEnd()
    }
    else {
        $AServiceServer | Set-AzAnalysisServicesServer `
            -FirewallConfig $conf `
            -BackupBlobContainerUri $AServiceServer.BackupBlobContainerUri `
            -Sku $AServiceServer.Sku.Name.TrimEnd()
    
    }
    Write-Output "Updated firewall rule to include current IP: $currentIP"
    Write-Output "Enable Power Bi Service was set to: $powerBi" 
}

Step3: Add Azure PowerShell task and define the arguments.

For example:

- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: FilePath'
  inputs:
    azureSubscription: kevin0627
    ScriptPath: test.ps1
    ScriptArguments: '-ResourceName  AnalysisServicesName -ResourceGroup  ResourceGroupName'
    azurePowerShellVersion: LatestVersion

When you run the pipeline, it will update the existing firewall rule with the IP of the current agent.

Result:

In this case, you don’t need to manually add all IPs to firewall.

Please signup or login to give your own answer.

Click here to cancel reply.