third-party SFTP with ADF

1. Yes, it is possible to connect to a third-party SFTP endpoint like Bloomberg using Azure Integration Runtime (AutoResolve IR) if the SFTP server allows connections from the Azure IP addresses. However, you will need to ensure that the IP addresses used by Azure IR are whitelisted on the Bloomberg SFTP server. You can find the list of Azure Integration Runtime IP addresses in the official documentation.
2. While using Azure IR is possible, the Self-Hosted Integration Runtime (SHIR) is often recommended for connecting to third-party SFTP servers, especially when you need more control over the network configuration, such as IP whitelisting. SHIR runs on a customer-managed machine, which allows you to configure the environment according to your needs and ensure that it can connect to the SFTP server without restrictions.

For more detailed guidance, you can refer to the official Azure documentation on integration runtimes and connecting to SFTP servers.

References:

• Troubleshoot the FTP, SFTP, and HTTP connectors in Azure Data Factory and Azure Synapse
• Choose the right integration runtime configuration for your scenario

Hi @RTG-1064

Thanks for contacting to Microsoft QA, here are step by step mitigation steps to resolve your query -

It can work with Azure IR—but only if Bloomberg accepts the region’s shared ADF IP ranges. Bloomberg’s SFTP is strictly IP‑allowlisted; they prefer tight, account‑specific IPs. If they won’t allow broad service‑tag ranges (DataFactory.<region>), Azure IR will keep failing. [learn.microsoft.com]

Recommended approach: use Self‑Hosted Integration Runtime (SHIR) behind a static egress IP. Put SHIR on an Azure VM/VNet, attach a NAT Gateway (or Azure Firewall) with a static Public IP, and give those IPs to Bloomberg for the allowlist. This is reliable and aligns with Bloomberg policy. [learn.microsoft.com], [learn.microsoft.com]

Set up checklist (SHIR): Install and register SHIR → bind subnet to NAT Gateway (static IP) → submit the IP(s) via Bloomberg Enterprise Console → configure ADF SFTP linked service with host, port 22, and SSH key → test. [learn.microsoft.com], [learn.microsoft.com], [bloomberg.com], [learn.microsoft.com]

• Common fixes:
  • If uploads fail on temp‑file rename, disable useTempFileRename. [learn.microsoft.com]
    • If key auth errors occur from Key Vault, ensure the Base64‑encoded private key content is correct (or upload the original key file to validate). [learn.microsoft.com]
      • Verify ciphers/KEX against Bloomberg’s standards if handshakes fail.

KB / Official docs (direct links)

• Bloomberg SFTP policies & allowlisting
  • SFTP Connectivity Policy (states IP allowlisting requirement): console.bloomberg.com/about/47
  • SFTP Connectivity Standards (PDF): assets.bbhub.io/.../SFTP-Connectivity-Policy.pdf
  • Manage SFTP IPs via Enterprise Console (FAQ): bloomberg.com/faq/.../enterprise-console
  • Enterprise Console overview: console.bloomberg.com/about
• Azure Data Factory (ADF)
  • SFTP connector (supports Azure IR & SHIR; notes on firewall allowlists): learn.microsoft.com/azure/data-factory/connector-sftp
  • Integration Runtime types (Azure IR vs SHIR): learn.microsoft.com/azure/data-factory/concepts-integration-runtime
  • Create & configure SHIR: learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime
  • Azure IR outbound IPs (service‑tag ranges): learn.microsoft.com/azure/data-factory/azure-integration-runtime-ip-addresses
  • Connector troubleshooting (rename/temp file, key encoding): learn.microsoft.com/fabric/data-factory/connector-troubleshoot-ftp-sftp-http
• Static egress IP
  • Azure NAT Gateway (static outbound): learn.microsoft.com/azure/nat-gateway/
  • NAT Gateway resource details & static public IPs: learn.microsoft.com/azure/nat-gateway/nat-gateway-resource
  • Manage public IP with NAT Gateway: learn.microsoft.com/azure/virtual-network/ip-services/configure-public-ip-nat-gateway