Skip to main content

Configure your Firewall

The following servers and ports used by Jet Analytics Data Integration and the Ingest Service must be opened in your firewall settings.

Jet Analytics Data Integration

The Jet Analytics Data Integration desktop software must be able to reach the following URLs.

Instance databases:

  • West Europe:
    • sql-instances-prod.database.windows.net
    • sql-instances-prod-002.database.windows.net
  • South East Asia:
    • sql-instances-southeastasia-prod-001.database.windows.net
  • Central US:
    • sql-instances-centralus-prod-001.database.windows.net
Note:

New instances may be created on sql-instances-prod-002.database.windows.net once the first server reaches its database limit. Both servers may need to be allowed in your firewall configuration.

  • Server outside Azure (on-premises): Port 1433 (standard SQL Server port)
  • Server inside Azure: Port range 11000–11999
    Note:

    IP addresses for these endpoints can change over time and do not always resolve to the same addresses across machines. The current IP ranges published by Microsoft are available at microsoft.com/en-us/download/details.aspx?id=56519. For Azure firewalls, allow traffic for the service tag Sql.WestEurope to handle these ranges automatically. More advanced on-premises firewalls can also work with these tags. Where automatic tag-based rules are not possible, automate the process using a PowerShell script to download the latest IP list, extract the ranges for the relevant tags, and update firewall rules accordingly. As an alternative to opening the full port range, including the Sql service tag in your firewall rules is sufficient.

Azure Service Bus

The Azure Service Bus is used for outbound communication. See the Service Bus AMQP protocol guide on Microsoft Learn for more information.

Allow access to the following outbound endpoints for the Service Bus. The current hostname is sbns-customer-prod-001.servicebus.windows.net but this will be incremented as capacity limits are reached.

  • *.servicebus.windows.net
  • TCP port 5671
  • TCP port 5672
Note:

For IP-based firewall rules, whitelist the IP ranges in the EventHub.WestEurope and ServiceBus.WestEurope categories from the Microsoft Azure IP Ranges and Service Tags file. You can also run nslookup sbns-customer-prod-001.servicebus.windows.net in PowerShell to resolve the current IP. See the Service Bus FAQ for more information.

Ingest Service

If using Azure Data Lake Storage, allow access to:

  • <storage account name>.dfs.core.windows.net — Port 443

If using Azure Data Factory data sources, allow access to:

  • management.azure.com — Port 443

Ensure that inbound rules are added for the ports used by Ingest instances.

Additional servers

The following additional servers must be accessible on port 443:

  • auth0.com
  • eu.auth0.com
  • cdn.auth0.com
  • app-encryption-prod-001.azurewebsites.net
Note:

For environments where firewall rules must be IP-based, the following addresses apply (note that IP addresses may change over time):

  • app-encryption-prod-001.azurewebsites.net: 20.105.216.12

The Auth0 tenant runs in the EU region. See Auth0 HIP allowlist documentation for Auth0 IP ranges.

Troubleshooting

Test-NetConnection

Use the Test-NetConnection command in Windows PowerShell on the application server to verify connectivity to any of the servers and ports listed above.

For example, paste the following into PowerShell and press Enter:

Test-NetConnection sql-instances-prod.database.windows.net -Port 1433

Change the server name and port to test any of the required connections. A successful result will show TcpTestSucceeded : True.

Turn off services in Subnet setup

In certain Azure Virtual Network scenarios, Jet Analytics Data Integration may still be unable to reach the cloud server after the above connections are permitted. If the application server is on an Azure Virtual Network, check the Subnet configuration for a blocking Microsoft.Web service endpoint.

  1. Connect to the Virtual Machine used as the application server and examine the Virtual network/subnet.

  2. Click on the subnet to open its settings.

  3. Remove the Microsoft.Web service endpoint by clicking the delete icon, then save the configuration.

worker.database-windows.net issue

If you receive a connection timeout error that references a server name ending in .worker.database.windows.net, this is related to Microsoft's internal routing for Azure SQL connections.

This routing is controlled by Microsoft and is not specific to a region. The server will follow the pattern *.worker.database.windows.net and communicate on port range 11000–11999 for Azure VM deployments, or port 1433 for on-premises deployments.

Create a firewall rule to allow communication to this pattern from the Ingest Service. Using the Sql service tag in your firewall rules is the recommended approach to cover these routing hops without opening the entire port range to the internet.

Error initializing server: System.Data.SqlClient.SqlException (0x80131904): Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. [...] The duration spent while attempting to connect to this server was - [Pre-Login] initialization=2; handshake=14992;

Was this article helpful?

We're sorry to hear that.