Azure-docs: Azure Batch Inbound Networking, Large source IP scope at subnet level
For Azure batch inbound networking, the source is scoped to AzureCloud (or Internet). In the long comment it states that Data Factory creates a NIC-level NSG, and that only Data Factory IPs are allowed to the VMs. Are the "Data Factory IPs" inclusive of whatever IPs Azure batch uses to access the VMs? What are these "Data Factory IPs", and can we manage them at the subnet level as well? Although the "Data Factory IPs" are (I think) public, is the traffic routed over the Azure backbone? I'm trying to explain all this to some Architectural Review Board. :)
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: f12a3bca-2e7d-1746-d490-109a244c5970
- Version Independent ID: 20654222-323d-e8bb-3073-4878cc3e1ad1
- Content: Join Azure-SSIS integration runtime to a virtual network
- Content Source: articles/data-factory/join-azure-ssis-integration-runtime-virtual-network.md
- Service: data-factory
- GitHub Login: @swinarko
- Microsoft Alias: sawinark
christianHamson
All 3 comments
Hi @christianHamson Thank you for your feedback! We will review and update as appropriate.
mike-urnun-msft
on 13 Feb 2019
It's correct that "Data Factory IPs" are inclusive to Azure Batch IPs that are used to access/manage SSIS IR nodes/VMs. They're dynamic and a new NIC-level NSG is automatically created whenever SSIS IR is restarted, so you shouldn't manage/restrict them with a subnet-level NSG. Traffic between ADF infra, including Azure Batch, and SSIS IR is always routed over our Azure backbone.
swinarko
on 14 Feb 2019
@christianHamson We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.
mike-urnun-msft
on 14 Feb 2019
Related issues
bdcoder2
·
3Comments
jamesgallagher-ie
·
3Comments
bityob
·
3Comments
ianpowell2017
·
3Comments
jharbieh
·
3Comments
Most helpful comment
It's correct that "Data Factory IPs" are inclusive to Azure Batch IPs that are used to access/manage SSIS IR nodes/VMs. They're dynamic and a new NIC-level NSG is automatically created whenever SSIS IR is restarted, so you shouldn't manage/restrict them with a subnet-level NSG. Traffic between ADF infra, including Azure Batch, and SSIS IR is always routed over our Azure backbone.