Synapse: Enable "Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules"

[mhofman37]

Hi,

I'm trying to configure a Synapse environment with bicep with the script below (I'm new to bicep and azure). The script runs without errors, but is does not enable the option "Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules". This should be done with the property "trustedServiceBypassEnabled: true". I can enable the option in the GUI and after I have done that, I see the option trustedServiceBypassEnabled change to true in the JSON view.

It is also fine if someone knows a powershell statement that I can use to enable this option at a later moment.

Regards,
Marco

param location string = resourceGroup().location
param SynapseWorkspaceName string
param StorageAccountName string
param StorageAccountFileSystem string

//retrieve object information for defaultDataLakeStorageAccount
resource defaultDataLakeStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
  name: StorageAccountName
}

resource SynapseWorkspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
  name: SynapseWorkspaceName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    defaultDataLakeStorage: {
      resourceId: defaultDataLakeStorageAccount.id
      createManagedPrivateEndpoint: true
      accountUrl: defaultDataLakeStorageAccount.properties.primaryEndpoints.dfs
      filesystem: StorageAccountFileSystem
    }
    managedVirtualNetwork: 'default'
    trustedServiceBypassEnabled: true
  }
}

resource SynapseWorkspaceFirewallAllowAll 'Microsoft.Synapse/workspaces/firewallRules@2021-06-01' = {
  name: 'AllowAll'
  parent: SynapseWorkspace
  properties: {
    endIpAddress: '255.255.255.255'
    startIpAddress: '0.0.0.0'
  }
}

resource SynapseWorkspaceAllowAllWindowsAzureIps 'Microsoft.Synapse/workspaces/firewallRules@2021-06-01' = {
  name: 'AllowAllWindowsAzureIps'
  parent: SynapseWorkspace
  properties: {
    startIpAddress: '0.0.0.0'
    endIpAddress: '0.0.0.0'
  }
}

[mhofman37]

Hi,

Yesterday I found this documentation about a REST API that might solve my issue
https://learn.microsoft.com/en-us/rest/api/synapse/workspaces/create-or-update?tabs=HTTP

There is a property "properties.trustedServiceBypassEnabled" you can set with a REST API. The only problem is that I do not know how to configure the body of the request.

$token = (Get-AzAccessToken -Resource "https://management.azure.com").Token
$headers = @{ 'Content-Type'='application/json'
    'Authorization' = "Bearer $token" }
$SubscriptionId = (Get-AzSubscription | Where-Object {$_.Name -eq "Visual Studio Enterprise-abonnement"}).Id

$Url = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Synapse/workspaces/$SynapseWorkspaceName/?api-version=2021-06-01"
$Body = @{
     properties.trustedServiceBypassEnabled = $True
 }
Invoke-RestMethod -Method Put -Uri $Url -Headers $headers -Body $Body 

Is there somebody who can help me with that?

Regards,
Marco

[MingruiZhangW]

Same issue here both are not functioning it seems

[mhofman37]

I made a support request and Microsoft came with this solution.

First create the workspace and then set the property trustedServiceBypassEnabled. This works, although it gives a yellow message about a non-existing property.

//enables the option "Allow Azure Synapse Link for Azure SQL Database to bypass firewall rules"
resource networkByPass 'Microsoft.Synapse/workspaces/trustedServiceByPassConfiguration@2021-06-01-preview' = {
  name: 'default'
  parent: SynapseWorkspace
  properties: {
    trustedServiceBypassEnabled: true
  }
}

Regards,
Marco

[MingruiZhangW]

Thank!