Recently, I performed a lot of work as a Site Reliability Engineer (SRE) / DevOps Engineer on a project that utilizes Azure Synapse for a large data lake and data processing implementation. Through my duties as SRE, I needed to configure the security of Azure Synapse by adding an allow list for IP Addresses that were allowed to connect to the Azure Synapse Workspace.
The Azure CLI provides the
az synapse workspace firewall-rule commands for managing the firewall configuration for Azure Synapse Workspaces. The
delete commands within it can be used to create and delete IP Addresses from the Azure Synapse Firewall allow list respectively.
Below is a sample command for adding an IP Address range to the allow list of the Azure Synapse Workspace firewall. When adding a single IP Address, the start IP Address (aka
--start-ip-address) and end IP Address (
--end-ip-address) for the range will need to be set to the single IP Address being added. Otherwise, you can specify the starting and ending IP Addresses in the range.
az synapse workspace firewall-rule create \ --name <ip-address-name> \ --start-ip-address <start-ip-address-range> \ --end-ip-address <end-ip-address-range> \ --resource-group <resource-group-name> \ --workspace-name <azure-synapse-workspace-name>
Also, below is a sample command for deleting (or removing) an IP Address from the Azure Synapse Workspace firewall allow list.
az synapse workspace firewall-rule delete \ --name <ip-address-name> \ --resource-group <resource-group-name> \ --workspace-name <azure-synapse-workspace-name> \ --yes
In the above Azure CLI
az synapse workspace firewall-rule commands, you’ll want to set the following parameters to the appropriate values for your Azure Synapse Workspace:
--nameis the name given to the IP Address range once it’s added to the Azure Synapse Workspace firewall allow list.
--resource-groupis the Azure Resource Group name where the Azure Synapse Workspace resides within Azure.
--workspace-nameis the name of the Azure Synapse Workspace resource of which the firewall allow list will be managed.
Here’s an example usage of the above command to add a specific IP Address to the firewall allow list of an Azure Synapse Workspace instance:
az synapse workspace firewall-rule create \ --name "SomeMachineThatNeedsAccess" \ --start-ip-address 126.96.36.199 \ --end-ip-address 188.8.131.52 \ --resource-group "MyResourceGroup" \ --workspace-name "MySynapseWorkspace"