CHEEKATLAPRADEEP-MSFT-zz
commented
3 years ago @pnarsi Thanks for the question! We are investigating and will update you shortly.
Closed pnarsi closed 3 years ago
CHEEKATLAPRADEEP-MSFT-zz
commented
3 years ago @pnarsi Thanks for the question! We are investigating and will update you shortly.
CHEEKATLAPRADEEP-MSFT-zz
commented
3 years ago @pnarsi, As it called out in the document, you need to Make sure that the firewall on your network and local computer allows outgoing communication on TCP ports 80, 443 and 1443 for Synapse Studio.
Port 80 is typically for sites that are not encrypted
To connect using tools such as SSMS and Power BI, you must allow outgoing communication on TCP port 1433.
Azure Synapse Analytics enforces encryption (SSL/TLS) at all times for all connections. This ensures all data is encrypted "in transit" between the client and server irrespective of the setting of Encrypt or TrustServerCertificate in the connection string.
Hope this helps.
RonyMSFT
commented
3 years ago Thanks @CHEEKATLAPRADEEP-MSFT. STudio redirects port 80 to 443, so encryption would be enforced. Port 1443 is required because Studio talks to SQL using port 1443. The team is currently working to support 443 for this traffic as well and when that change is made, then you dont need 1443. We will update documentation when that change has occurred.
VitalyMCT
commented
3 years ago @RonyMSFT, can you please expand on that port 1433 requirement?
We understand Synapse Studio talks to Synapse SQL pools over port 1433.
However, if Synapse Studio runs server-side on an Azure web server, what's the reason we need to open port 1433 on local computer and network? Are the components of Synapse Studio that communicate with SQL pool running inside the browser?
AndyPT
commented
3 years ago This has been questioned a lot in the last 6 months, including an exact copy of this text being wrongfully listed in the DP-203 MOC course. It seems obvious that:
Clearly the answer given by a Microsoft employee is WRONG and this issue was wrongfully closed prematurely. Also, how it is possible that someone would post such absurd list of ports to open (which will REDUCE SECURITY DRASTICALLY), without explaining why they exist, and even after people complain they are WRONG, a Microsoft employee simples closes the issue without any fix or clarification?
PLEASE FIX IT.
RonyMSFT
commented
3 years ago @VitalyMCT, Studio is a Single Page Application that is running on the user's browser. Hence the user needs to configure outbound ports in their firewall.
@AndyPT, In the past, there Synapse Studio (Single Page Application running in the user's browser) used port 1443 to communicate to Synapse SQL. There was work untaken to use port 443. I am checking with our engineering team whether that update was deployed to all regions. If that is the case, then I will update the doc to remove the port 1443 reference.
Port 1433 is mentioned in the context of SSMS and Power BI (not Synapse Studio).
VitalyMCT
commented
3 years ago @RonyMSFT, @AndyPT 's point number 3 is that the port # is incorrect. Port 1443 does not have any significance in this context. It's 1433. Correct?
As far as the requirement to have outbound access to that port, I believe you are confirming that the new version of the Synapse Studio SPA (assuming it's been deployed to all regions) no longer needs to communicate over that port. Thus the documentation around this is outdated. Correct?
@AndyPT 's points 1 and 2 are also relevant here and I think warrant a reply.
RonyMSFT
commented
3 years ago @VitalyMCT, as I mentioned above, Studio used port 1443. There is work completed across multiple teams to ensure that Studio can use port 443 in place of port 1443. However, this change has not been deployed to all regions. The documentation will be updated when the change is deployed to all regions.
I am following up with engineering on port 80 and I will update when I hear back from them.
gdubya
commented
2 years ago @RonyMSFT have you heard back about this? I agree with @AndyPT and @VitalyMCT that it seems incorrectly documented about 1443. I see no requests from my browser to Synapse Studio using this port. How can we prove that 1443 is required?
gdubya
commented
2 years ago Ah, actually I did find one. There is a request using HTTPS (443) followed by a request on 1443. So the documentation is correct, even though it is confusing. But it looks like the request on 1443 is a duplicate of the first request, so perhaps this is just a fallback mechanism since (in my case) the first request (on 443) failed?
gdubya
commented
2 years ago I compared these requests with those from another workspace (in a completely different subscription) and did not see any requests on 1443 (the first HTTPS requests were successful), which backs up my theory that the 1443 requests are fallback behaviour.
Are the required ports documented for an end user on my network wanting to access Synapse Studio correct? The page currently says:
"Make sure that the firewall on your network and local computer allows outgoing communication on TCP ports 80, 443 and 1443 for Synapse Studio."
A user in my network would connect to Synapse Studio via a web browser so ports 80 and port 433 make sense. Yes Synapse Workspace to my dedicated SQL pool probably uses port 1443 but that is traffic within the managed VNET. Does running a SQL query on Synapse Studio require port 1443 to be open on my network?
Also, is the requirement to open port 80 correct? That implies that not all traffic between the user and Synapse Studio will be encrypted.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.