1.4.5. Network Security: Managed Private Endpoints
đź’ˇ First Principle: Network security in Fabric extends beyond data-level controls to network-level isolation. Managed Private Endpoints and Trusted Workspace Access enable secure connectivity to Azure services without exposing traffic to the public internet.
Scenario: Your organization's Azure SQL Database contains sensitive financial data and is configured to deny public network access. Your Fabric workspace needs to connect to this database for ETL pipelines. Without network-level configuration, the connection will fail.
Understanding Managed Private Endpoints
- Concept: Private network connections from Fabric to Azure services using Azure Private Link
- Benefit: Traffic flows over Microsoft's backbone network, never traversing public internet
- Requirement: The target Azure service must support Private Link
Managed Private Endpoint Configuration
| Component | Purpose | Configuration Location |
|---|---|---|
| Managed Private Endpoint | Private connection to Azure service | Workspace Settings → Network Security |
| Approval | Target resource owner must approve | Azure Portal → Target resource → Private endpoint connections |
| FQDN | Fully qualified domain name for connection | Provided after approval |
Creating a Managed Private Endpoint
- Navigate to Workspace Settings → Network Security
- Select Create Managed Private Endpoint
- Specify target Azure resource (e.g., Azure SQL Server, Storage Account)
- Submit request—target resource owner must approve
- Once approved, use the private FQDN in your connections
Visual: Managed Private Endpoint Flow
Loading diagram...
Trusted Workspace Access
- Concept: Allow Fabric workspaces to access Azure Storage accounts configured with firewall rules
- Benefit: Storage account remains protected by firewall while permitting specific Fabric workspace access
- Implementation: Configure on the Azure Storage Account firewall settings
Trusted Workspace Access Configuration:
- Navigate to Azure Storage Account → Networking → Firewalls and virtual networks
- Enable Allow trusted Azure services to access this storage account
- Add Fabric workspace identity to Resource instances exceptions
- Fabric can now access storage despite firewall rules
When to Use Each Approach
| Scenario | Solution |
|---|---|
| Connect to Azure SQL with no public access | Managed Private Endpoint |
| Access storage account with firewall | Trusted Workspace Access |
| Access Cosmos DB privately | Managed Private Endpoint |
| Multi-cloud data access (AWS S3, GCS) | Shortcuts with service principals |
⚠️ Common Pitfall: Creating a Managed Private Endpoint and expecting immediate connectivity. The endpoint requires approval by the target resource owner. Until approved, connections will fail. Coordinate with your Azure infrastructure team.
Exam Tip: Questions about connecting Fabric to resources with "public access disabled" or "firewall enabled" typically require Managed Private Endpoints or Trusted Workspace Access—not service principals alone.
Reflection Question: Your Azure SQL Database has public network access disabled. A data engineer creates a connection in Dataflow Gen2 but receives a connection timeout error. What is the most likely cause and solution?