Network ip address required to allow to be able to export to Storage account

[mikaelliljedahl]

I am trying to export to Blob Storage. It works fine when the blob storage has no network access restrictions. As soon as I enable network restrictions, I get the following error. I have tried to add the IP of the sql database server and the IP of the management API:

40.68.37.158 and 65.52.129.125 (which I had to add to the database ip filtering to be able to remove the first error message I got).

"There was an error that occurred during this operation : '<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/"&gt;Error encountered during the service operation. ; Exception Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unexpected exception encountered while retrieving metadata for blob &#39;https://xxxxxxxxxx.blob.core.windows.net/dumps/filename2020-03-16 145918 591.bacpac&#39;.; Inner exception Microsoft.WindowsAzure.Storage.StorageException:The remote server returned an error: (403) Forbidden.; Inner exception System.Net.WebException:The remote server returned an error: (403) Forbidden.; </string>'"

Could you please point me in the right direction for what IP that should be allowed for the Blob Storage Export operation to work?

BR Mikael

---

Dokumentinformation

⚠ Redigera inte det här avsnittet. Det krävs för docs.microsoft.com ➟ länkning till GitHub-problem.

• ID: c1bdd674-b454-e863-c943-9c979b466a92
• Version Independent ID: b15341f9-3f1b-00e0-a1c2-970f25a6ab03
• Content: az sql db
• Content Source: src/azure-cli/azure/cli/command_modules/sql/_help.py
• Service: sql-database
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureSQLGitHub.

[yungezz]

thanks for reporting the issue, we'll look at it

[ejmarmonti]

Hello, I have the same problem.

Background:

I have a release pipeline in devops that uses the 'azure file copy' task. When there are no network restrictions on the storage account, it works fine. When I enable network restrictions and leave the "Allow trusted Microsoft services to access this storage account" option selected, then trigger a release, I get the same 403 error at release time. It looks like maybe the IP ranges used by the microsoft-hosted agents are not included in the "trusted Microsoft services" list?

How to replicate:

• Create a storage account, activate static website, add a bogus index.html file into the $web container. Test the endpoint to make sure it loads your html file.
• Create a Devops project, put your. index.html file in a new repo. Create a build pipeline that copies your index.html file into the staging directory.
• Create a release pipeline that uses the azure file copy task and copies files out of your $(System.DefaultWorkingDirectory) location into the storage account in the respective subscription, enter $web as the container. name.
• Trigger a build then a release. Once that works, Go back to your storage account and restrict the network settings. Then trigger another release and it will fail with "Failed to validate destination. The remote server returned an error: (403) Forbidden."

Thank you

[keviny1273]

I think I am experiencing the same issue when trying to run an Azure SQL Database Export. Works when firewall rules on the Storage account allow access from all networks. When this is restricted to selected networks the export fails with the error above (Forbidden). This occurs even when Allow trusted Microsoft services to access this storage account is selected.

It would be good to understand how to enable an export without having to relax the storage firewall rules.