Frequently asked questions about Analysis Services network connectivity

This article provides answers to common questions about connecting to storage accounts, data sources, firewalls, and IP addresses.

Backup and restore

How can I backup and restore using a storage account that is behind a firewall?

Azure Analysis Services does not use fixed IP addresses or Service Tags. The range of IP addresses your Analysis Services servers use can be anything in the range of IP addresses for the Azure region. Because your server IP addresses are variable and can change over time, your firewall rules need to allow for the entire range of Azure region IP addresses your server is in.

My Azure storage account is in a different region from my Analysis Services server. How do I configure storage account firewall settings?

If the storage account is in a different region, configure storage account firewall settings to allow access from Selected networks. In Firewall Address range, specify the IP address range for the region the Analysis Services server is in. To get the IP ranges for Azure regions, see Azure IP Ranges and Service Tags - China Cloud. Configuring storage account firewall settings to allow access from All networks is supported, however choosing Selected networks and specifying an IP address range is preferred.

My Azure storage account is in the same region as my Analysis Services server. How can I configure storage account firewall settings?

Because your Analysis Services server and storage account are in the same region, communications between them use internal IP address ranges, therefore, configuring a firewall to use Selected networks and specifying an IP address range is not supported. If organization policies require a firewall, it must be configured to allow access from All networks.

Data source connections

I have a VNET for my data source system. How can I allow my Analysis Services servers to access the database from the VNET?

Azure Analysis Services is unable to join a VNET. The best solution here is to install and configure an On-premises Data Gateway on the VNET, and then configure your Analysis Services servers with the AlwaysUseGateway server property. To learn more, see Use gateway for data sources on an Azure Virtual Network (VNet).

I have a source database behind a firewall. How can I configure the firewall to allow my Analysis Services server to access it?

Azure Analysis Services does not use fixed IP addresses or Service Tags. The range of IP addresses your Analysis Services servers use can be anything in the range of IP addresses for the Azure region. You have to provide the full range of IP addresses for the Azure region of your server in the source database firewall rules. Another, and possibly more secure, alternative is to configure an On-premises Data Gateway. You can then configure your Analysis Services servers with the AlwaysUseGateway server property, and then ensure the On-premises Data Gateway has an IP address allowed by the firewall rules of the data source.

Azure apps with IP address

I use an Azure-based application (for example, Azure Functions, Azure Data Factory) with an IP address that changes on the fly. How can I manage the Azure Analysis Services firewall rules to dynamically allow the IP address where my app is executing?

Azure Analysis Services does not support Private Links, VNETs, or Service Tags. There are some open-source solutions (for example, https://github.com/mathwro/Scripts/blob/master/Azure/AllowAzure-AnalysisServer.ps1) that detect the IP address of the client application, and automatically and temporarily update the firewall rules.