How to automatically add your DevOps IP to Azure Analysis Services Firewall

Without adding the complete range of the datacentre

Since October 2017 it is possible to configure a firewall on your Azure Analysis Services. It is recommended to do this since it adds an extra layer of protection to your AAS. By default, AAS accepts all incoming network traffic from any client.

To be honest the firewall has very basic functionalities. Apart from on or off, there is a ‘Allow access from the Power BI Service’ button. Which I’m happy with is there, since it makes life a little bit easier. And there is functionality to add and delete IP-ranges. It does not have an option, like Azure SQL Server, to ‘allow all azure services’ (Basically, this adds all MS Azure Datacentres to a rule, not limited to your own subscription).

In this particular case, I’m using Azure DevOps for my repo and Azure Pipelines for a Continuous Integration and Delivery strategy. To manage the model, we have configured a couple of Logic Apps, in combination with the REST API, to Resume, Suspend, and Refresh the model.

So, enabling the Firewall on my AAS means that these clients are not able to do their work unless we add their IP address to the Firewall config. In this example, we will focus on Azure DevOps and how to allow traffic from the agent used in our CI/CD process.

The introduction article has some suggestions on how to overcome this problem. But also states, it is recommended to limit the number of rules to the absolutely necessary.

So how do we bring this back to just one rule?! Here is how we solved it.

PowerShell Script

The solution we implemented, involves a PowerShell script to set the firewall config. Apparently, more people run into the same challenge. We reused and altered the script a bit. The original is linked below.

Currently, it is not possible to alter or delete a single rule with the available PowerShell cmdlets. The only available commands are New-AzAnalysisServicesFirewallRule and New-AzAnalysisServicesFirewallConfig.

The script takes the currently applied firewall rules and the setting for the Power BI service. Stores these rules and updates the public IP address for the defined rule if needed and sets the firewall config on the Analysis Services.

	#Author – Arthur Steijn // Motion10 // 20200708
	#Original from Mathias Wrobel // Innofactor A/S

	#Other sites to provide IPv4 public address with this type of request

	<#
	http://ipinfo.io/ip
	http://ifconfig.me/ip
	http://icanhazip.com
	http://ident.me
	http://smart-ip.net/myip
	#>

	# Set Parameters
	[CmdletBinding()]
	param(
	[Parameter(ValueFromPipeline = $true)][String] $ResourceName = "AnalysisServicesName",
	[Parameter(ValueFromPipeline = $true)][String] $ResourceGroup = "ResourceGroupName"
	)

	#Setting additional parameters
	$ExistingFirewallRuleName = "AzureDevOps"
	$PubIPSource = "ipinfo.io/ip"

	$AServiceServer = Get-AzAnalysisServicesServer –Name $ResourceName –ResourceGroupName $ResourceGroup
	$FirewallRules = ($AServiceServer).FirewallConfig.FirewallRules
	$FirewallRuleNameList = $FirewallRules.FirewallRuleName
	$powerBi = ($AServiceServer).FirewallConfig.EnablePowerBIService

	#Getting previous IP from firewall rule, and new public IP
	$PreviousRuleIndex = [Array]::IndexOf($FirewallRuleNameList, $ExistingFirewallRuleName)
	$currentIP = (Invoke-WebRequest –uri $PubIPSource –UseBasicParsing).content.TrimEnd()
	$previousIP = ($FirewallRules).RangeStart[$PreviousRuleIndex]

	#Updating rules if request is coming from new IP address.
	if (!($currentIP -eq $previousIP)) {
	Write-Output "Updating Analysis Service firewall config"
	$ruleNumberIndex = 1
	$Rules = @() -as [System.Collections.Generic.List[Microsoft.Azure.Commands.AnalysisServices.Models.PsAzureAnalysisServicesFirewallRule]]

	#Storing Analysis Service firewall rules
	$FirewallRules \| ForEach-Object {
	$ruleNumberVar = "rule" + "$ruleNumberIndex"
	#Exception of storage of firewall rule is made for the rule to be updated
	if (!($_.FirewallRuleName -match "$ExistingFirewallRuleName")) {

	$start = $_.RangeStart
	$end = $_.RangeEnd
	$tempRule = New-AzAnalysisServicesFirewallRule `
	–FirewallRuleName $_.FirewallRuleName `
	–RangeStart $start `
	–RangeEnd $end

	Set-Variable –Name "$ruleNumberVar" –Value $tempRule
	$Rules.Add((Get-Variable $ruleNumberVar –ValueOnly))
	$ruleNumberIndex = $ruleNumberIndex + 1
	}
	}

	Write-Output $FirewallRules #Write all FireWall Rules to Host

	#Add rule for new IP
	$updatedRule = New-AzAnalysisServicesFirewallRule `
	–FirewallRuleName "$ExistingFirewallRuleName" `
	–RangeStart $currentIP `
	–RangeEnd $currentIP

	$ruleNumberVar = "rule" + "$ruleNumberIndex"
	Set-Variable –Name "$ruleNumberVar" –Value $updatedRule
	$Rules.Add((Get-Variable $ruleNumberVar –ValueOnly))

	#Creating Firewall config object
	if ($powerBi) {
	$conf = New-AzAnalysisServicesFirewallConfig –EnablePowerBiService –FirewallRule $Rules
	}
	else {
	$conf = New-AzAnalysisServicesFirewallConfig –FirewallRule $Rules
	}

	#Setting firewall config
	if ([String]::IsNullOrEmpty($AServiceServer.BackupBlobContainerUri)) {
	$AServiceServer \| Set-AzAnalysisServicesServer `
	–FirewallConfig $conf `
	–DisableBackup `
	–Sku $AServiceServer.Sku.Name.TrimEnd()
	}
	else {
	$AServiceServer \| Set-AzAnalysisServicesServer `
	–FirewallConfig $conf `
	–BackupBlobContainerUri $AServiceServer.BackupBlobContainerUri `
	–Sku $AServiceServer.Sku.Name.TrimEnd()

	}
	Write-Output "Updated firewall rule to include current IP: $currentIP"
	Write-Output "Enable Power Bi Service was set to: $powerBi"
	}

view raw AddDevOpsIpToAAS.ps1 hosted with ❤ by GitHub

Azure Pipelines Task

We added an Azure PowerShell Task to the tasks of our deployment pipeline. This step is executed before the deployment of the model.bim. Make sure the service connection has the appropriate permissions on the AAS to perform the actions defined in the PowerShell script. You can find an example in yaml in here

	steps:
	– task: AzurePowerShell@5
	inputs:
	azureSubscription: 'YourAzureSubscriptionOrServiceConnection'
	ScriptType: 'FilePath'
	ScriptPath: 'AddDevOpsIpToAAS.ps1'
	ScriptArguments: '-ResourceName "YourAnalysisServicesName" -ResourceGroup "YourResourceGroupName"'
	azurePowerShellVersion: 'LatestVersion'