2.4.5. Network Security: Managed Private Endpoints
💡 First Principle: Network security extends beyond data-level controls to network-level isolation. Think of Managed Private Endpoints as private tunnels through Microsoft's backbone network—traffic never touches the public internet, eliminating exposure to internet-based attacks. Without this, your "secured" data might travel over public infrastructure.
Scenario: Your organization's Azure SQL Database contains sensitive financial data and is configured to deny public network access. Your Fabric workspace needs to connect to this database for ETL pipelines. Without network-level configuration, the connection will fail.
Understanding Managed Private Endpoints
- Concept: Private network connections from Fabric to Azure services using Azure Private Link
- Benefit: Traffic flows over Microsoft's backbone network, never traversing public internet
- Requirement: The target Azure service must support Private Link
Managed Private Endpoint Configuration
| Component | Purpose | Configuration Location |
|---|---|---|
| Managed Private Endpoint | Private connection to Azure service | Workspace Settings → Network Security |
| Approval | Target resource owner must approve | Azure Portal → Target resource → Private endpoint connections |
| FQDN | Fully qualified domain name for connection | Provided after approval |
Creating a Managed Private Endpoint
- Navigate to Workspace Settings → Network Security
- Select Create Managed Private Endpoint
- Specify target Azure resource (e.g., Azure SQL Server, Storage Account)
- Submit request—target resource owner must approve
- Once approved, use the private FQDN in your connections
Visual: Managed Private Endpoint Flow
Trusted Workspace Access
- Concept: Allow Fabric workspaces to access Azure Storage accounts configured with firewall rules
- Benefit: Storage account remains protected by firewall while permitting specific Fabric workspace access
- Implementation: Configure on the Azure Storage Account firewall settings
Trusted Workspace Access Configuration:
- Navigate to Azure Storage Account → Networking → Firewalls and virtual networks
- Enable Allow trusted Azure services to access this storage account
- Add Fabric workspace identity to Resource instances exceptions
- Fabric can now access storage despite firewall rules
When to Use Each Approach
| Scenario | Solution |
|---|---|
| Connect to Azure SQL with no public access | Managed Private Endpoint |
| Access storage account with firewall | Trusted Workspace Access |
| Access Cosmos DB privately | Managed Private Endpoint |
| Multi-cloud data access (AWS S3, GCS) | Shortcuts with service principals |
⚠️ Exam Trap: Creating a Managed Private Endpoint doesn't provide immediate connectivity. The endpoint requires approval by the target resource owner. Until approved, connections will fail. Questions about "connection timeout after creating endpoint" are testing this knowledge.
💡 Exam Tip: Questions about connecting Fabric to resources with "public access disabled" or "firewall enabled" typically require Managed Private Endpoints or Trusted Workspace Access—not service principals alone.
Reflection Question: Your Azure SQL Database has public network access disabled. A data engineer creates a connection in Dataflow Gen2 but receives a connection timeout error. What is the most likely cause and solution?
