Power BI Dataflow access network restricted Azure Storage Account

Question

I'm using Power BI Dataflows to access spreadsheets I have in blob storage. I have configured IAM permissions on the storage account for myself and the Power BI Service user. The network configuration is set to 'Allow trusted Microsoft services to access this storage account' and 'Microsoft network routing endpoint' preferences.

First Test: Storage Account allowing access from all networks

I am able to access the spreadsheet from the Power BI Service and perform transformations.

Second Test: Storage Account allowing only selected networks

In this case, I have added a group of CIDR blocks for other services that need to access the storage account. I have also added the whitelists for the Power BI Service and PowerQueryOnline service using both the deprecated list and new json list.

When running the same connection from Power BI Service Dataflows I now get the 'Invalid Credentials' error message. After turning on logging for the storage account and running another successful test it looks like the requests are coming from private IP addresses (10.0.1.6), not any of the public ranges.

2.0;2020-09-18T12:57:17.0000567Z;ListFilesystems;OAuthSuccess;200;4;4;bearer;restrictiedmobacc;restrictiedmobacc;blob;"https://restrictiedmobacc.dfs.core.windows.net/?resource=account";"/restrictiedmobacc";7a6efbbd-e01f-004c-31bb-8d39a9000000;0;10.0.1.6;2018-06-17;2185;0;184;108;0;;;"gzip, deflate";Monday, 01-Jan-01 00:00:00 GMT;;"Microsoft.Data.Mashup (https://go.microsoft.com/fwlink/?LinkID=304225)";;"f5d7d551-0291-e765-f20d-09a337164e19";"31cae3e8-e77a-4db2-9050-a69c0555d912";"2f6a613f-ba8c-4432-bdb8-9a0ea0a9f51d";"b52893c8-bc2e-47fc-918b-77022b299bbc";"https://storage.azure.com";"https://sts.windows.net/2f6a613f-ba8c-4432-bdb8-9a0ea0a9f51d/";"<MY EMAIL ADDRESS>";;"{&quot;action&quot;:&quot;Microsoft.Storage/storageAccounts/blobServices/containers/read&quot;, &quot;roleAssignmentId&quot;:&quot;9fe216db-d682-462c-b408-4133a454ef1a&quot;, &quot;roleDefinitionId&quot;:&quot;8e3af657-a8ff-443c-a75c-2fe8c4bcb635&quot;, &quot;principals&quot;: [{&quot;id&quot;: &quot;31cae3e8-e77a-4db2-9050-a69c0555d912&quot;, &quot;type&quot;:&quot;User&quot;}], &quot;denyAssignmentId&quot;:&quot;&quot;}"

I'm at a loss as what to try next, it is a requirement that this storage account not be open to the world. I have read that you can use a On Premise Data Gateway so that you can lock the address range down to that device, but I don't really want to go down that route.

Answer 1

After speaking with Microsoft Support I have been told

It is not possible to connect Power BI Service with a storage account that has restricted network access enabled.

However, after doing some reading on Azure Data Factory I noticed a statement...

"Services deployed in the same region as the storage account use private IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range."

Therefore I created a storage account in UK West with our Power BI Service in UK South. Looking at logs on the storage account I can now see requests from Power BI coming over a 51.0.0.0/8 range instead of private addresses. By adding 51.0.0.0/8 to the allowed CIDRs, Power BI Service Dataflows can now access the spreadsheets stored in the Datalake.

Answer 2

Have you tried to enable a Service endpoint for Azure Storage within the VNet? The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service.

Could you also check if you have whitelisted the following links, you will find them in this link:

https://docs.microsoft.com/en-us/power-bi/admin/power-bi-whitelist-urls

Kr,

Abdel