az synapse workspace firewall-rule list --workspace-name <workspace-name> --resource-group <resource-group>Synapse workspace firewall
A Synapse workspace firewall is the IP allowlist around a Synapse workspace when it accepts public network traffic. It decides which client IPv4 ranges can attempt to connect before identity permissions are evaluated. It does not grant access by itself; a user or service still needs the right Azure, Synapse, or SQL permissions. It...
Source: Microsoft Learn - Configure IP firewall rules for Azure Synapse Analytics Reviewed 2026-05-27T15:25:20Z
- Exam trap
- Opening a broad IP range during an emergency and forgetting to remove it after users regain access.
- Production check
- List current firewall rules and verify every range has an owner, purpose, and review or expiry date.
Article details and learning context
- Aliases
- Synapse IP firewall rule, workspace firewall rule, Synapse workspace IP allowlist, Synapse public endpoint firewall
- Difficulty
- intermediate
- CLI mappings
- 6
- Last verified
- 2026-05-27T15:25:20Z
- Review level
- field-manual-complete
- Article depth
- field-manual-complete
Understand the concept
In plain English
A Synapse workspace firewall is the IP allowlist around a Synapse workspace when it accepts public network traffic. It decides which client IPv4 ranges can attempt to connect before identity permissions are evaluated. It does not grant access by itself; a user or service still needs the right Azure, Synapse, or SQL permissions. It is most useful for limiting casual exposure from the internet, but it is not a substitute for private endpoints, least privilege, or careful control of the setting that allows Azure services to reach the workspace.
Why it matters
Synapse workspace firewall rules matter because they are often the first visible control between a powerful analytics workspace and unwanted public access attempts. A broad rule such as an entire corporate egress block may be convenient, but it can also make production SQL, Studio, and development endpoints reachable from more places than intended. A narrow rule can protect the workspace but break analysts, pipelines, or support engineers when their outbound IP changes. The setting that allows Azure services and resources to access the workspace is especially sensitive because it can allow connections from Azure broadly, so identity controls must be strong. Firewall design needs change control, ownership, and review.
Official wording and source
Synapse workspace firewall rules define which public IPv4 client ranges can reach a Synapse workspace when public access is enabled. They are configured at workspace scope, complement identity permissions, and are not available for workspaces that use a Managed Virtual Network.
Technical context
Technically, workspace firewall rules are child configuration under a Synapse workspace. They belong to the networking and security layer around the workspace control and data endpoints. Operators configure rule names, start IP addresses, and end IP addresses through the portal, CLI, PowerShell, ARM, or REST. The rules matter only when public network access is enabled, and Microsoft documents that this IP firewall feature applies to workspaces not associated with a Managed Virtual Network. Private endpoint designs, private link hubs, DNS, and managed private endpoints must be considered separately.
Exam context
Compare with
Where it is used
Where you see it
- In the Azure portal Networking or Firewalls blade, where named rules show start and end IPv4 ranges beside public network access settings for the selected workspace.
- In Azure CLI output from az synapse workspace firewall-rule list, where each rule exposes its resource ID, name, start IP, end IP, provisioning state, and workspace scope.
- In connection failures from Synapse Studio, SQL clients, or automation agents, where identity looks correct but the client public IP is not covered by an allowed rule.
Common situations
- Allow a known corporate egress range to reach a public Synapse workspace while identity controls still enforce user permissions.
- Create a time-boxed support exception for a vendor or emergency responder without opening the workspace to every client IP.
- Audit and remove stale public IP ranges before moving a production workspace toward private endpoint access.
- Diagnose whether a failed Synapse Studio or SQL connection is blocked by network allowlisting rather than credentials.
- Compare dev, test, and production firewall rules to catch accidental drift before a release depends on the wrong access path.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Animation studio limits contractor access during a film deadline Scenario, objectives, solution, measured impact, and takeaway.
An animation studio needed temporary Synapse access for rendering-cost analysts working from a partner office. A previous broad firewall rule had allowed several unrelated networks into the workspace.
- Allow only the partner office egress IP for a two-week review window.
- Remove stale public rules without interrupting finance dashboards.
- Create security evidence that did not rely on screenshots.
The operations lead used Azure CLI to list every Synapse workspace firewall rule and exported the output to the change ticket. Security confirmed the partner office NAT range, then approved a named rule with a clear expiration date. Stale rules for old contractors, home-office ranges, and a forgotten allow-all test entry were deleted after owners confirmed they were no longer needed. The team validated Studio access and SQL connectivity from the partner office, then verified that connections from an unapproved network failed. Diagnostic logs and CLI output were attached to the incident record.
- Publicly allowed IP ranges dropped from nine ranges to one approved partner egress range.
- Finance dashboard access remained available with no missed daily refreshes during cleanup.
- Security review time for the exception fell from two days to forty minutes because evidence was structured.
Synapse workspace firewall rules are most useful when they are narrow, named, temporary where possible, and backed by repeatable evidence.
Scenario 02 Water utility fixes misleading access failures Scenario, objectives, solution, measured impact, and takeaway.
A municipal water utility moved leakage analytics into Synapse. Field analysts repeatedly reported SQL permission failures, but investigation showed their new secure remote-access gateway used a different public egress IP.
- Restore analyst access without granting broader data permissions.
- Distinguish network denial from identity or SQL authorization errors.
- Document the approved remote-access network path for future onboarding.
The support team first confirmed that user roles, SQL permissions, and storage access were already correct. Azure CLI then listed Synapse firewall rules and showed the old VPN egress address, not the new secure gateway. A narrowly named rule was added for the gateway range, and the obsolete VPN rule was removed after a staged test. Operators updated the runbook with the approved egress source, test commands, expected error messages, and the escalation path for future remote-access changes. Alerts were added for any firewall rule created outside the approved naming pattern.
- Average access-ticket resolution dropped from six hours to thirty-five minutes after the network pattern was documented.
- No additional SQL grants were issued, preventing unnecessary expansion of data access.
- Failed remote logons caused by stale firewall ranges fell by 91 percent in the following month.
Firewall evidence helps teams avoid treating every Synapse connection failure as an identity problem and keeps fixes at the right layer.
Scenario 03 Legal services firm removes emergency access debt Scenario, objectives, solution, measured impact, and takeaway.
A legal services firm opened broad Synapse firewall access during an urgent eDiscovery export. The rule remained for months, creating unacceptable exposure for client-matter analytics.
- Find every production workspace with broad or ownerless firewall rules.
- Replace emergency ranges with approved jump-host and automation egress IPs.
- Produce client-facing evidence that public endpoint access had been tightened.
Cloud governance used Azure CLI inventory scripts to query firewall rules across subscriptions and flag ranges wider than approved corporate egress blocks. Each exception was matched to a ticket, owner, and business purpose. For the eDiscovery workspace, the team removed the broad emergency range, added one jump-host range for approved administrators, and required release automation to come through a fixed NAT address. They retested exports, SQL connections, and Synapse Studio access from approved paths. The final evidence bundle included before-and-after rule lists, change approvals, and screenshots only as supporting context. Expiration dates were mandatory.
- Broad production Synapse firewall rules fell from fourteen to two documented exceptions across the estate.
- The eDiscovery workspace passed the client security review with no corrective action required.
- Quarterly firewall recertification effort dropped from three weeks to five business days.
A firewall rule is small configuration, but unmanaged exceptions can become real client, audit, and incident-response risk.
Azure CLI
I use Azure CLI for Synapse workspace firewall work because firewall mistakes are easy to hide in portal screenshots and hard to debug after the fact. CLI can list every rule with exact start and end IPs, show whether a specific rule exists, create a temporary exception, update a range during a controlled window, and delete stale access later. It also lets teams compare rules across environments and attach JSON evidence to an access ticket. In practice, the fastest path during an outage is often a read-only CLI check that proves whether the problem is network allowlisting, public network access, DNS, or identity.
Useful for
- List all firewall rules and compare IP ranges with approved corporate, VPN, vendor, or CI/CD egress ranges.
- Create a narrow temporary rule for a support window without changing Synapse roles or SQL permissions.
- Update an office or NAT range after a network provider changes public egress addresses.
- Delete stale vendor, emergency, or broad IP rules during a security hardening review.
- Wait for firewall rule provisioning before telling users to retest Studio or SQL endpoint connectivity.
Before you run a command
- Confirm the exact workspace, resource group, active subscription, public source IP, and approved range before creating or updating a rule.
- Check whether the workspace uses managed virtual network or private endpoints because IP firewall behavior may not be the active path.
- Treat broad ranges, all-Azure exceptions, and vendor ranges as security-impacting changes that need ticketed approval.
- Capture existing rules before making changes so rollback does not depend on portal memory during an incident.
- Use named rules with owners and expiry dates, especially for support windows, contractors, and temporary CI/CD agent ranges.
What the output tells you
- Rule output shows the exact name, start IP, end IP, provisioning state, resource ID, and workspace where the rule exists.
- A missing rule or unexpected range indicates the user may be blocked before Synapse RBAC or SQL permissions are evaluated.
- Broad ranges or unclear names are security review signals, even if access is currently working for users.
- Delete or update output should be attached to change records because network access changes are hard to reconstruct later.
- Wait output helps confirm that the firewall service has processed the change before retesting client connectivity.
Mapped commands
Workspace firewall rule management
directaz synapse workspace firewall-rule show --workspace-name <workspace-name> --resource-group <resource-group> --name <rule-name>az synapse workspace firewall-rule create --workspace-name <workspace-name> --resource-group <resource-group> --name <rule-name> --start-ip-address <ip> --end-ip-address <ip>az synapse workspace firewall-rule update --workspace-name <workspace-name> --resource-group <resource-group> --name <rule-name> --start-ip-address <ip> --end-ip-address <ip>az synapse workspace firewall-rule delete --workspace-name <workspace-name> --resource-group <resource-group> --name <rule-name>az synapse workspace firewall-rule wait --workspace-name <workspace-name> --resource-group <resource-group> --name <rule-name> --createdArchitecture context
Architecturally, I treat Synapse workspace firewall rules as a transitional or exception control, not the highest-trust network model. In a strong enterprise design, private endpoints and private link hubs usually carry production access, while public access is disabled or tightly limited. When public access must exist, firewall rules should align to known egress IPs, approved automation agents, or temporary support windows. The architecture should define who can add a rule, how long temporary rules live, how rule changes are logged, and how identity still restricts users after the network path opens. A firewall allowlist should never become the only meaningful protection around analytics data.
- Security
- Security impact is direct because the firewall changes who can reach the workspace endpoint before authentication and authorization happen. A narrow allowlist reduces exposure, while broad ranges increase reconnaissance and credential-abuse opportunities. The most dangerous pattern is combining wide network rules with permissive Synapse roles, SQL permissions, or shared credentials. Teams should avoid all-internet ranges, minimize the Azure-services exception, review rules after incidents, and use private connectivity for sensitive environments. Firewall changes should be auditable and tied to a request. If a rule is temporary, its expiration and owner should be recorded because stale access is a common long-term risk.
- Cost
- Firewall rules do not usually create direct compute charges, but they influence cost through access patterns and operational effort. A too-open workspace can enable uncontrolled serverless SQL scans, Spark runs, or support activity from unmanaged clients. A too-restrictive workspace can cause incident hours, missed data loads, and extra engineering time to diagnose blocked paths. Private endpoint designs may add separate networking costs, but they can reduce risk and simplify governance in regulated environments. FinOps reviews should connect firewall posture with who can run cost-generating workloads, because network access is one gate before expensive analytics activity begins. Stale exceptions are an ownership cost.
- Reliability
- Reliability impact is real because a correct firewall can look like an outage to users who connect from a new egress IP. Analysts may lose Studio access, SQL clients may fail, pipelines may stop calling endpoints, and support engineers may be locked out during an incident. Reliable operations use documented corporate egress ranges, controlled temporary rules, preapproved break-glass access, and monitoring for failed connections. If public access is disabled, runbooks should direct users to VPN, private endpoint, or approved network paths. Treat firewall updates like production changes: verify before and after, and avoid deleting old rules until the replacement path is tested.
- Performance
- Firewall rules do not accelerate SQL or Spark execution, but they affect connection performance and diagnostic speed. A missing rule causes immediate connection failures that can be misread as service slowness, authentication failure, or client driver trouble. Broad public access may make testing easier, but it can mask whether production should use private, lower-latency network paths. Operators should measure where clients exit the network, whether DNS resolves to public or private endpoints, and how quickly failed connection errors surface in logs. Good firewall hygiene improves operational performance because responders can eliminate network allowlisting as a cause within minutes. Good rule names reduce triage time.
- Operations
- Operators inspect Synapse workspace firewall rules during access requests, incident response, environment audits, and network-hardening projects. They list rules, confirm the active subscription and workspace, compare ranges against corporate egress records, and remove stale exceptions. They also coordinate with identity owners because a network allow does not mean the user can publish, query, or administer the workspace. Good operations include naming rules with owner and purpose, storing ticket references, using temporary exceptions where possible, and validating public network access state. For production, every rule should answer three questions: who needs it, from where, and for how long. Schedule cleanup after temporary fixes.
Common mistakes
- Opening a broad IP range during an emergency and forgetting to remove it after users regain access.
- Changing Synapse roles or SQL permissions before checking whether the user source IP is blocked at the firewall.
- Using vague firewall rule names that do not identify owner, network source, ticket, or expiry expectation.
- Assuming workspace firewall rules protect underlying storage accounts, Key Vaults, or private endpoint paths automatically.
- Letting CI/CD hosted agent IP changes break releases because build egress ranges were never documented.