Home > Back-end >  Add Azure hosted build agents IP addresses to Analysis Services Firewall rules
Add Azure hosted build agents IP addresses to Analysis Services Firewall rules

Time:06-27

I'm getting the following error when running a cmdlet to refresh a table in AAS via Devops CI/CD deployment pipeline.

##[error]Cannot connect to server 'xxx'. Client with IP Address '20.68.178.187' is not allowed to access the server. To enable access, use the Firewall settings in Azure Management Portal. It may take up to 5 minutes for this change to take effect.

The IP is from a Azure hosted build agent.

Is there a way to enable all Azure IPs in AAS in the same way that can done for Azure SQL enter image description here

Step2: Create a .ps1 file in Azure repo with the following script:

[CmdletBinding()]
param(
    [Parameter(ValueFromPipeline = $true)][String] $ResourceName = "AnalysisServicesName",
    [Parameter(ValueFromPipeline = $true)][String] $ResourceGroup = "ResourceGroupName"
     )

#Setting additional parameters
$ExistingFirewallRuleName = "firewall rule name" 
$PubIPSource = "ipinfo.io/ip"

$AServiceServer = Get-AzAnalysisServicesServer -Name $ResourceName -ResourceGroupName $ResourceGroup
$FirewallRules = ($AServiceServer).FirewallConfig.FirewallRules
$FirewallRuleNameList = $FirewallRules.FirewallRuleName
$powerBi = ($AServiceServer).FirewallConfig.EnablePowerBIService

#Getting previous IP from firewall rule, and new public IP
$PreviousRuleIndex = [Array]::IndexOf($FirewallRuleNameList, $ExistingFirewallRuleName)
$currentIP = (Invoke-WebRequest -uri $PubIPSource -UseBasicParsing).content.TrimEnd()
$previousIP = ($FirewallRules).RangeStart[$PreviousRuleIndex]

#Updating rules if request is coming from new IP address.
if (!($currentIP -eq $previousIP)) {
    Write-Output "Updating Analysis Service firewall config"
    $ruleNumberIndex = 1
    $Rules = @() -as [System.Collections.Generic.List[Microsoft.Azure.Commands.AnalysisServices.Models.PsAzureAnalysisServicesFirewallRule]]

    #Storing Analysis Service firewall rules
    $FirewallRules | ForEach-Object {
        $ruleNumberVar = "rule"   "$ruleNumberIndex"
        #Exception of storage of firewall rule is made for the rule to be updated
        if (!($_.FirewallRuleName -match "$ExistingFirewallRuleName")) {

            $start = $_.RangeStart
            $end = $_.RangeEnd
            $tempRule = New-AzAnalysisServicesFirewallRule `
                -FirewallRuleName $_.FirewallRuleName `
                -RangeStart $start `
                -RangeEnd $end

            Set-Variable -Name "$ruleNumberVar" -Value $tempRule
            $Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))
            $ruleNumberIndex = $ruleNumberIndex   1
        }
    }
    
    Write-Output $FirewallRules         #Write all FireWall Rules to Host

    #Add rule for new IP
    $updatedRule = New-AzAnalysisServicesFirewallRule `
        -FirewallRuleName "$ExistingFirewallRuleName" `
        -RangeStart $currentIP `
        -RangeEnd $currentIP
    
    $ruleNumberVar = "rule"   "$ruleNumberIndex"
    Set-Variable -Name "$ruleNumberVar" -Value $updatedRule
    $Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))

    #Creating Firewall config object
    if ($powerBi) {
            $conf = New-AzAnalysisServicesFirewallConfig -EnablePowerBiService -FirewallRule $Rules 
        }
    else {       
            $conf = New-AzAnalysisServicesFirewallConfig -FirewallRule $Rules 
        }
    
    #Setting firewall config
    if ([String]::IsNullOrEmpty($AServiceServer.BackupBlobContainerUri)) {
        $AServiceServer | Set-AzAnalysisServicesServer `
            -FirewallConfig $conf `
            -DisableBackup `
            -Sku $AServiceServer.Sku.Name.TrimEnd()
    }
    else {
        $AServiceServer | Set-AzAnalysisServicesServer `
            -FirewallConfig $conf `
            -BackupBlobContainerUri $AServiceServer.BackupBlobContainerUri `
            -Sku $AServiceServer.Sku.Name.TrimEnd()
    
    }
    Write-Output "Updated firewall rule to include current IP: $currentIP"
    Write-Output "Enable Power Bi Service was set to: $powerBi" 
}

Step3: Add Azure PowerShell task and define the arguments.

For example:

- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: FilePath'
  inputs:
    azureSubscription: kevin0627
    ScriptPath: test.ps1
    ScriptArguments: '-ResourceName  AnalysisServicesName -ResourceGroup  ResourceGroupName'
    azurePowerShellVersion: LatestVersion

When you run the pipeline, it will update the existing firewall rule with the IP of the current agent.

Result:

enter image description here

In this case, you don't need to manually add all IPs to firewall.

CodePudding user response:

Azure Hosted Agents uses set of public IP addressess from Azure Data Centers. So, you won't be having one fixed IP set for your Azure Pipeline Agents. Unless, it's a self-hosted agent. Azure maintains a public list of IP addressess for their Azure Data Centers represent via a Service Tag. Instead specifying all public IP addresses, you can use these service tag in your Azure PaaS service firewall setting to allow traffic.

You can download the list from here. WestUs2 Service Tag public IP addresses

Further readings: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#to-identify-the-possible-ip-ranges-for-microsoft-hosted-agents

  • Related