Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft is giving away 50,000 FREE Microsoft Certification exam vouchers. Get Fabric certified for FREE! Learn more

FonsecaSergioMS
Microsoft Employee
‎03-17-2025 09:00 AM

Fabric Connectivity Series Part #1 - Inbound SQL DW connections on Public Endpoints

Content

 

 

I will do a series of posts regarding Fabric connectivity. As there are a lot of topics to cover such as inbound, outbound, public and private endpoints, managed private endpoints etc., it will be easier to break these into smaller dedicated posts.

 

I already have a series for Synapse connectivity and you can find those here:

 

First I would like to explore the Fabric DW / SQL Endpoint public endpoint connectivity. But before diving into troubleshooting, it’s essential to understand the key components involved in establishing a connection:

 

You first need to think about what the source is and what is the destination and and the various components in between:

Fabric Connectivity-01.png

 

#1 - What is the SOURCE and DESTINATION that you want to reach?

  • Source
    • Is your client/VM running OnPrem using PBI Desktop or Inside Azure (Azure VM / PBI Service)?
    • Do you have a Corp Firewall?
      • What Outbound Ports will be needed?
      • Internet Proxy in the middle?
  • Destination
    • Do you want to use public or private endpoint?
    • What endpoint you want to reach?

 

From Microsoft Fabric Portal you can get the Fully Qualified Domain Name (FQDN), something like [xxxx-xxxx.datawarehouse.fabric.microsoft.com] used for your client to reach your Microsoft Fabric DW or Lakehouse SQL analytics endpoint that can be used as the [server name] in a connection.

 

Fabric Connectivity-02.png

 

#2 - IP and Ports Needed

Fabric DW connection only requires OUTBOUND TCP port 1433 to be open.

 

ATTENTION!

When configuring your firewall, ensure that outbound port 1433 is open for the (FQDN and additional IPs), as specified in the documentation.

https://learn.microsoft.com/en-us/fabric/data-warehouse/connectivity#allow-power-bi-service-tags-thr...

Allow Power BI service tags through firewall

To ensure proper access, you need to allow the Power BI service tags for firewall access. For more information, see Power BI Service Tags. You cannot use the Fully Qualified Domain Name (FQDN) of the TDS Endpoint alone. Allowing the Power BI service tags is necessary for connectivity through the firewall.

 

Below you can find diagram to better visualize scenario

  • NOTE1: This is all transparent from client / driver point of view. You just need to worry to make sure firewall is open or else connection will fail
  • NOTE2: Reg 2nd redirect connecton (xxxx-pbidedicated), don't consider it a fixed name as it may change

Fabric Connectivity-03.png

 

For people that came from Synapse world, this will work in similar way as the redirect connection

https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture?view=azuresql#c...

 

If you do simple test connection and monitor it using WiresharkSynapse Connectivity Series Part #4 - Advanced network troubleshooting and network trace analysis ) using filters like samples below, you will be able to visuallize what is happening behind scene

  • DNS requests (May not be found if DNS entry is cached)
    • (dns.qry.name contains "pbidedicated" or dns.qry.name contains "fabric")
  • Client Hello packages
    • tls.handshake.extensions_server_name contains "fabric" or tls.handshake.extensions_server_name contains "pbi"

You will be able to find the 2 endpoints / connections and related IPs

Fabric Connectivity-04.png

Fabric Connectivity-05.png

 

You can then use wireshark function to follow up each individual conversation to check status and what could have blocked your connection

  • Click on specific conversation and Follow > TCP Stream

Fabric Connectivity-06.png

Here you can see initial conversation with FQDN [xxxx-xxxx.datawarehouse.fabric.microsoft.com] / IP [52.150.139.133] / port [1433]

Fabric Connectivity-07.png

 

Here you can see redirected conversation on TDS Endpoint [XXXX-pbidedicated.windows.net] / IP [52.150.139.166] / port [1433]

Fabric Connectivity-08.png

 

 

#3 - Forcing a failure

To make a failure happen, I will add an entry in hosts file, redirecting a name to wrong ip like 127.0.0.1, but would have similar results as a firewall blocking port

 

To be more visual, this is what is happening

Fabric Connectivity-11.png

 

From client I got error below

  • Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection
    to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For
    more information see SQL Server Books Online.

 

Note that in this example, the connection using the FQDN obtained from the Fabric portal works properly. What is actually failing is the redirected connection (You can see destination IP = 127.0.0.1 I forced to go to cause an error)

 

Fabric Connectivity-10.png

 

 

#4 - How to open my firewall

Based on the information shared above you need to open your firewall not only to FQDN, but also to a REDIRECT connection whose name or IP address may vary.

This configuration will also depend if your client is inside Azure or Outside Azure, if your network uses Azure Firewall or Third Party Firewall.

Check below some generial guideline:

  • #4.1 - Client inside Azure

    • As documented [here] open your [NSG] and / or [Azure Firewall] to [PowerBI Service tag].
      • A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
      • You can find list here https://www.microsoft.com/en-us/download/details.aspx?id=56519

Fabric Connectivity-13.png

Fabric Connectivity-12.png

  • #4.2 - Client outside Azure

    • #4.2.1 - You can still use Service Tags as above, but then you might need some automation to constantly update this list as new IPs can be added to range.
    • #4.2.2 - Other option is to use FQDN / URLs as documented Add Fabric URLs to your allowlist
Required: Datamart SQLdatamart.fabric.microsoft.comTCP 1433
Required: Datamart SQLdatamart.pbidedicated.microsoft.comTCP 1433
Required: Datamart SQL*.pbidedicated.microsoft.comTCP 1433
   
Required: Fabric DW SQLdatawarehouse.fabric.microsoft.comTCP 1433
Required: Fabric DW SQLdatawarehouse.pbidedicated.microsoft.comTCP 1433
Required: Fabric DW SQL*.pbidedicated.microsoft.comTCP 1433
Required: Fabric DW SQL*.pbidedicated.windows.netTCP 1433

 

#5 - Troubleshooting

  • #5.2 The server was not found or was not accessible

    • A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.)

    • #5.2.1 - From Notebook / VM / Azure VM / PBI OnPrem Datagateway VM

    • #5.2.2 - From PBI Service (Cloud) using VNET Data Gateway

Labels: