Posted by

Posted on

September 30, 2024

Posted under

Comments

Resolving ADF Pipeline Errors: “Client Address Not Authorized” by Whitelisting IP Addresses for Azure Key Vault

When working with Azure Data Factory (ADF) pipelines, secure communication between various Azure services is crucial, especially when accessing sensitive data stored in resources like Azure Key Vault. Recently, while executing an ADF pipeline, I encountered the following error message:

Operation on target Web URLToken TenantId failed: {“error”:{“code”:”Forbidden”,”message”:”Client address is not authorized and caller is not a trusted service.\r\nClient address: xx.xx.xx.xxx\r\nCaller: appid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx;oid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx;providers/Microsoft.DataFactory/factories/datafactoryjb;abc_er_sde=/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/jb_ADF_RG/providers/Microsoft.DataFactory/factories/datafactoryjb\r\nVault: jbkeyvault;location=northeurope”,”innererror”:{“code”:”ForbiddenByFirewall”}}}

This error indicates that the client address attempting to access the Azure Key Vault was not authorized, preventing the pipeline from retrieving necessary secrets stored in the vault. The root cause of this issue was that the Azure Key Vault had strict network security settings that only allowed authorized IP addresses to access it. The ADF instance running in the North Europe region was not on the list of authorized addresses, causing the connection to be blocked.

In this blog post, I will walk you through how I resolved the issue by whitelisting the required IP addresses for Data Factory and ensuring secure communication between Azure Data Factory and Azure Key Vault.

Understanding the Error: Client Address Not Authorized

The error message received during the pipeline execution highlights two key aspects:

Client Address Not Authorized: The IP address attempting to connect to the Key Vault (ADF service in this case) was not whitelisted, which led to the request being blocked by the Key Vault’s firewall.
Forbidden by Firewall: The error code ForbiddenByFirewall suggests that the Key Vault is configured with firewall rules that only allow specific IP addresses to access it.

By default, Azure Key Vault can restrict access to its secrets by using firewall settings to specify which IP ranges or services are allowed to connect. This provides an extra layer of security, but in this case, it became an obstacle because the IP addresses associated with the ADF instance were not permitted.

Steps to Resolve the Issue

To resolve this issue, I followed these steps to add the necessary IP addresses to the Azure Key Vault’s firewall settings:

1. Identify the Region of the Azure Data Factory

The first step was to identify the region in which my Azure Data Factory instance was running. In this case, the ADF instance was running in the North Europe region, as seen from the error message and confirmed in the Azure portal.

2. Retrieve the IP Address Range for ADF in North Europe

Azure services like Data Factory operate from a specific set of IP ranges depending on the region they are deployed in. Microsoft publishes the IP address ranges for each service and region, which are updated periodically. You can download the full list of IP ranges for different Azure services and regions from this Microsoft link.

In this case, the required IP addresses for Data Factory in the North Europe region were as follows:

{
  "name": "DataFactory.NorthEurope",
  "id": "DataFactory.NorthEurope",
  "properties": {
    "changeNumber": 7,
    "region": "northeurope",
    "regionId": 17,
    "platform": "Azure",
    "systemService": "DataFactory",
    "addressPrefixes": [
      "4.207.242.72/29",
      "13.69.230.96/28",
      "13.74.108.224/28",
      "20.38.80.192/26",
      "20.38.82.0/23",
      "20.50.68.56/29",
      "20.223.64.60/32",
      "20.223.65.144/29",
      "48.209.130.96/28",
      "48.209.130.112/29",
      "52.138.229.32/28"
    ]
  }
}

You can get the details from Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center.

These IP addresses need to be whitelisted in the Azure Key Vault to allow ADF to access the secrets.

3. Whitelist the IP Addresses in Azure Key Vault

To whitelist the necessary IP ranges, follow these steps:

Navigate to the Azure Key Vault in the Azure portal.
Select Networking from the left-side menu.
Under Firewalls and virtual networks, ensure that you have selected to allow access from selected networks.
Add the necessary IP address ranges to the firewall rules:
- “4.207.242.72/29”
- “13.69.230.96/28”
- “13.74.108.224/28”
- “20.38.80.192/26”
- “20.38.82.0/23”
- “20.50.68.56/29”
- “20.223.64.60/32”
- “20.223.65.144/29”
- “48.209.130.96/28”
- “48.209.130.112/29”
- “52.138.229.32/28”
Once the IP addresses are added, save the changes to apply the updated firewall rules.

4. Validate the Pipeline Run

After whitelisting the required IP addresses in the Key Vault, I re-ran the Azure Data Factory pipeline. This time, the pipeline successfully connected to the Key Vault and retrieved the required secrets, and the entire workflow executed without any issues.

Conclusion

The error "Client address is not authorized" occurred because the Azure Key Vault was configured with strict firewall rules, preventing Azure Data Factory from accessing it. By identifying the region of the ADF instance and retrieving the correct IP ranges for that region, I was able to whitelist the necessary addresses and resolve the issue.

This process highlights the importance of maintaining secure communication between Azure services, and how careful configuration of firewall rules can help both secure and enable workflows. Always ensure that the IP ranges for the services you are using are updated and whitelisted in sensitive resources like Azure Key Vault to prevent any disruptions in your pipelines.

Additional Resources:

Regards;
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.

Posted by

Vivek Janakiraman

Posted on

August 3, 2024

Posted under

SQL Server 2022

Comments

Deploying and Managing SQL Server 2022 on Kubernetes: A Comprehensive Guide

Kubernetes has become a popular choice for managing containerized applications, and SQL Server 2022 is no exception. This guide will walk you through deploying and managing SQL Server 2022 on Kubernetes, offering examples and screenshots to illustrate the process.

🛠️ Prerequisites

Before diving into the deployment, ensure you have the following:

Kubernetes Cluster: A running Kubernetes cluster (e.g., Minikube, Azure Kubernetes Service, Amazon EKS).
kubectl: The Kubernetes command-line tool, installed and configured.
Docker: Installed for container image management.

🏗️ Step-by-Step Deployment

1. Create a Namespace

Namespaces in Kubernetes help organize your resources. Let’s create one for SQL Server:

kubectl create namespace sqlserver

2. Persistent Storage Setup

SQL Server requires persistent storage for data. We’ll use Persistent Volume (PV) and Persistent Volume Claim (PVC).

Persistent Volume (PV) Definition:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: sql-pv
  namespace: sqlserver
spec:
  capacity:
    storage: 20Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /mnt/sqlserver

Persistent Volume Claim (PVC) Definition:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sql-pvc
  namespace: sqlserver
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

Apply these configurations:

kubectl apply -f sql-pv.yaml
kubectl apply -f sql-pvc.yaml

3. Deploying SQL Server 2022

Create a Deployment manifest for SQL Server:

Deployment YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sqlserver-deployment
  namespace: sqlserver
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sqlserver
  template:
    metadata:
      labels:
        app: sqlserver
    spec:
      containers:
      - name: sqlserver
        image: mcr.microsoft.com/mssql/server:2022-latest
        ports:
        - containerPort: 1433
        env:
        - name: ACCEPT_EULA
          value: "Y"
        - name: MSSQL_SA_PASSWORD
          value: "YourStrongPassword!"
        volumeMounts:
        - name: mssql-data
          mountPath: /var/opt/mssql
      volumes:
      - name: mssql-data
        persistentVolumeClaim:
          claimName: sql-pvc

Apply the deployment:

kubectl apply -f sqlserver-deployment.yaml

4. Exposing SQL Server

To access SQL Server externally, create a Service:

Service YAML:

apiVersion: v1
kind: Service
metadata:
  name: sqlserver-service
  namespace: sqlserver
spec:
  type: LoadBalancer
  ports:
  - port: 1433
    targetPort: 1433
  selector:
    app: sqlserver

Apply the service configuration:

kubectl apply -f sqlserver-service.yaml

🔍 Managing SQL Server on Kubernetes

1. Scaling

To scale SQL Server instances, modify the replicas field in the Deployment YAML:

spec:
  replicas: 3

Apply the changes:

kubectl apply -f sqlserver-deployment.yaml

2. Monitoring

Monitor the SQL Server pods and services using kubectl:

kubectl get pods -n sqlserver
kubectl get svc -n sqlserver

For detailed logs:

kubectl logs <pod-name> -n sqlserver

3. Updating SQL Server Image

To update the SQL Server container image, modify the image field in the Deployment YAML and apply the changes:

image: mcr.microsoft.com/mssql/server:2022-latest

kubectl apply -f sqlserver-deployment.yaml

4. Backup and Restore

Backup: Use the sqlcmd tool or any SQL Server Management tool to perform a backup.

Restore: Similarly, use sqlcmd or another tool to restore from a backup.

Example backup command:

BACKUP DATABASE [YourDatabase] TO DISK = '/var/opt/mssql/backup/YourDatabase.bak'

🏁 Conclusion

Deploying and managing SQL Server 2022 on Kubernetes provides flexibility and scalability for your containerized environments. By following the steps outlined in this guide, you can set up SQL Server, scale it, monitor performance, and perform backups and updates with ease.

Kubernetes and SQL Server 2022 together form a powerful combination for modern cloud-native applications. If you have any questions or run into issues, feel free to explore the official documentation or community forums. Happy deploying! 🚀

For more tutorials and tips on SQL Server, including performance tuning and database management, be sure to check out our JBSWiki YouTube channel.

Thank You,
Vivek Janakiraman

Posted by

Vivek Janakiraman

Posted on

July 27, 2024

Posted under

Core, SQL Server 2022

Comments

Automation and DevOps with SQL Server 2022: Integrating CI/CD and Automation Tools

In the modern development landscape, the integration of DevOps practices and automation is crucial for delivering high-quality software efficiently. SQL Server 2022 brings a host of new features and improvements that make it easier than ever to integrate database management into DevOps workflows. This blog post will explore how to leverage SQL Server 2022 in DevOps pipelines, focusing on Continuous Integration/Continuous Deployment (CI/CD) and automation tools.

🚀 The Role of DevOps in Database Management

DevOps emphasizes collaboration between development and operations teams, aiming to deliver applications and services more efficiently. In the context of databases, DevOps practices help ensure that database changes are integrated, tested, and deployed as seamlessly as application code. Key benefits include:

Improved collaboration between developers and DBAs.
Faster delivery cycles through automated deployments.
Reduced risk with consistent and repeatable processes.

🛠️ Setting Up CI/CD for SQL Server 2022

Continuous Integration (CI) and Continuous Deployment (CD) are fundamental components of a DevOps strategy. CI involves automatically integrating and testing code changes, while CD automates the deployment of these changes to production.

1. Database Version Control

Version control is a critical aspect of CI/CD. Tools like Git can be used to track changes to database schema and code. SQL Server 2022 works seamlessly with version control systems, allowing you to manage your database scripts (e.g., schema, stored procedures, functions) just like application code.

2. Automated Builds and Testing

Automating the build and testing process is crucial for catching issues early. Here’s how to set it up:

SQL Server Data Tools (SSDT): Use SSDT to create and manage database projects in Visual Studio. It allows you to define the database schema as code and includes tools for schema comparison and deployment.
Azure DevOps Pipelines: Azure DevOps provides robust CI/CD capabilities. You can define pipelines that automatically build your database project, run unit tests, and deploy changes. For example:

trigger:
  - main

pool:
  vmImage: 'windows-latest'

steps:
  - task: UseDotNet@2
    inputs:
      packageType: 'sdk'
      version: '3.x.x'

  - task: NuGetToolInstaller@1

  - task: NuGetCommand@2
    inputs:
      restoreSolution: '$(solution)'

  - task: VSBuild@1
    inputs:
      solution: '**/*.sln'
      msbuildArgs: '/p:DeployOnBuild=true /p:PublishProfile=$(publishProfile)'

  - task: PublishTestResults@2
    inputs:
      testRunner: 'VSTest'
      testResultsFiles: '**/*.trx'

Automated Testing: Incorporate automated tests to validate database changes. Use tools like tSQLt, a unit testing framework for T-SQL, to write and execute tests. This ensures that your changes do not introduce regressions.

3. Continuous Deployment

Continuous Deployment extends CI by automating the deployment of code changes to various environments, including staging and production.

Database Migration Tools: Tools like Flyway and Liquibase can automate database migrations, ensuring that schema changes are applied consistently across environments.
Release Management: Use release management tools like Octopus Deploy or Azure DevOps Release Pipelines to orchestrate deployments. These tools provide features like approvals, rollbacks, and environment-specific configurations.

⚙️ Automation Tools in SQL Server 2022

SQL Server 2022 includes several features and integrations that facilitate automation:

1. SQL Server Agent

SQL Server Agent is a powerful job scheduling tool that can automate routine tasks, such as backups, index maintenance, and monitoring. You can integrate SQL Server Agent jobs into your CI/CD pipelines to automate post-deployment tasks.

2. PowerShell and dbatools

PowerShell is a versatile scripting language that can automate various SQL Server tasks. The dbatools module, in particular, provides a rich set of cmdlets for managing SQL Server instances, databases, and backups.

Example: Automating backup verification using dbatools:

Install-Module dbatools
Import-Module dbatools

$servers = "Server1", "Server2"
foreach ($server in $servers) {
    Test-DbaLastBackup -SqlInstance $server -Databases master, msdb, model
}

3. Azure Automation

Azure Automation allows you to automate management tasks using runbooks. For SQL Server, you can create runbooks to automate tasks like scaling, backup management, and monitoring.

🌐 Hybrid and Cloud Integration

SQL Server 2022 is designed with cloud and hybrid environments in mind, making it easier to manage and automate SQL Server across on-premises and cloud platforms. Key integrations include:

Azure Arc: Azure Arc-enabled data services allow you to manage SQL Server instances across different environments, providing a unified management experience.
Azure DevOps and GitHub Actions: These platforms provide cloud-native CI/CD solutions that integrate seamlessly with SQL Server, enabling automated deployments to Azure SQL Database, SQL Managed Instance, and on-premises SQL Server instances.

🔄 Best Practices for Database DevOps

Treat Database Schema as Code: Use version control for database schema changes to maintain a history and enable collaboration.
Automate Everything: From builds and tests to deployments and backups, automation reduces the risk of human error and ensures consistency.
Implement Robust Testing: Use unit tests, integration tests, and automated testing frameworks to validate changes.
Monitor Continuously: Use monitoring tools to track the performance and health of your databases, ensuring that any issues are detected early.
Plan for Rollbacks: Always have a rollback plan in place in case of deployment failures. This might include database backups or transactional scripts.

🚀 Conclusion

SQL Server 2022 brings powerful new features and integrations that make it an excellent choice for DevOps practices. By implementing CI/CD pipelines and automation tools, you can streamline database management, improve collaboration, and accelerate the delivery of high-quality software. Whether you’re working in a purely on-premises environment, in the cloud, or in a hybrid setup, SQL Server 2022 provides the flexibility and capabilities needed to succeed in today’s fast-paced development world.

For more tutorials and tips on SQL Server, including performance tuning and database management, be sure to check out our JBSWiki YouTube channel.

Thank You,
Vivek Janakiraman

JBs Wiki

Tag Archives: DevOps

Resolving ADF Pipeline Errors: “Client Address Not Authorized” by Whitelisting IP Addresses for Azure Key Vault

Understanding the Error: Client Address Not Authorized

Steps to Resolve the Issue

1. Identify the Region of the Azure Data Factory

2. Retrieve the IP Address Range for ADF in North Europe

3. Whitelist the IP Addresses in Azure Key Vault

4. Validate the Pipeline Run

Conclusion

Additional Resources: