AdministrationNetworkingConnect to data servicesAzure

Create a connection between Astro and Azure public endpoint

All Astro clusters include a set of external IP addresses that persist for the lifetime of the cluster. When you create a Deployment in your workspace, Astro assigns it one of these external IP addresses. To facilitate communication between Astro and your cloud, you can allowlist these external IPs in your cloud. If you have no other security restrictions, this means that any cluster with an allowlisted external IP address can access your Azure resources through a valid Airflow connection.

Allowlist a Deployment’s external IP addresses on Azure

  1. In the Astro UI, select a Workspace, click Deployments, and then select a Deployment.
  2. Select the Details tab.
  3. In the Other section, you can find the External IPs associated with the Deployment.
  4. Add the IP addresses to the allowlist of any external services that you want your Deployment to access.

When you use publicly accessible endpoints to connect to Azure, traffic moves directly between your Astro cluster and the Azure API endpoint. Data in this traffic never reaches the Astronomer managed control plane. Note that you still might also need to authorize your Deployment to some resources before it can access them. For example, you can Authorize deployments to your cloud with workload identity so that you can avoid adding passwords or other access credentials to your Airflow connections.

If you use Dedicated clusters and want to allowlist external IP addresses at the cluster level instead of at the Deployment level, you can find the list of cluster-level external IP addresses in your Organization’s Clusters.

  1. In the Organization section of the Astro UI, click Organization Settings, then click Clusters, then select a cluster.
  2. In the Details page, copy the IP addresses listed under External IPs.
  3. Add the IP addresses to the allowlist of any external services that you want your cluster to access. You can also access these IP addresses from the Details page of any Deployment in the cluster.

After you allowlist a cluster’s IP addresses, all Deployments in that cluster have network connectivity to Azure.