Recently, I performed a lot of work as a Site Reliability Engineer (SRE) / DevOps Engineer on a project that utilizes Azure Synapse for a large data lake and data processing implementation. Through my duties as SRE, I needed to configure the security of Azure Synapse by adding an allow list for IP Addresses that were allowed to connect to the Azure Synapse Workspace.

The Azure CLI provides the az synapse workspace firewall-rule commands for managing the firewall configuration for Azure Synapse Workspaces. The create and delete commands within it can be used to create and delete IP Addresses from the Azure Synapse Firewall allow list respectively.

Below is a sample command for adding an IP Address range to the allow list of the Azure Synapse Workspace firewall. When adding a single IP Address, the start IP Address (aka --start-ip-address) and end IP Address (--end-ip-address) for the range will need to be set to the single IP Address being added. Otherwise, you can specify the starting and ending IP Addresses in the range.

az synapse workspace firewall-rule create \
  --name <ip-address-name> \
  --start-ip-address <start-ip-address-range> \
  --end-ip-address <end-ip-address-range> \
  --resource-group <resource-group-name> \
  --workspace-name <azure-synapse-workspace-name>

Also, below is a sample command for deleting (or removing) an IP Address from the Azure Synapse Workspace firewall allow list.

az synapse workspace firewall-rule delete \
  --name <ip-address-name> \
  --resource-group <resource-group-name> \
  --workspace-name <azure-synapse-workspace-name> \

In the above Azure CLI az synapse workspace firewall-rule commands, you’ll want to set the following parameters to the appropriate values for your Azure Synapse Workspace:

  • --name is the name given to the IP Address range once it’s added to the Azure Synapse Workspace firewall allow list.
  • --resource-group is the Azure Resource Group name where the Azure Synapse Workspace resides within Azure.
  • --workspace-name is the name of the Azure Synapse Workspace resource of which the firewall allow list will be managed.

Here’s an example usage of the above command to add a specific IP Address to the firewall allow list of an Azure Synapse Workspace instance:

az synapse workspace firewall-rule create \
  --name "SomeMachineThatNeedsAccess" \
  --start-ip-address \
  --end-ip-address \
  --resource-group "MyResourceGroup" \
  --workspace-name "MySynapseWorkspace"

Happing scripting!

Microsoft MVP

Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
HashiCorp Ambassador Microsoft Certified Trainer (MCT) Microsoft Certified: Azure Solutions Architect