Blog
Automation & Operational Excellence
Fabric Security: Potentials & Limits of the Network Setup

Fabric Security: Potentials & Limits of the Network Setup

Viola Oduola

Viola Oduola

11.10.2024

20.1.2025

Automation & Operational Excellence
Fabric Security: Potentials & Limits of the Network Setup

How can I integrate data sources that are secured via private endpoints into Fabric? How do I deal with Azure Data Lakes behind a firewall? This blog post shows the possibilities which Fabric Nativ offers

Table of Contents

Securing Incoming Data Traffic

Considerations of network security need to cover incoming as well as outgoing data transfer.

Inbound data traffic describes access to Fabric itself (e.g. invoking app.fabric.microsoft.com). It is possible to integrate Fabric into a network via private links. This makes Fabric available exclusively via the internal network. Networks from the Internet are blocked.

Figure 1: Inbound access to Fabric - own illustration

Two parameters are used in the admin portal for this purpose: Azure Private Link and Block Public Internet Access.

Private links enable services to be delivered across private virtual networks (Vnet) without the need to connect them via peering.

"Block Public Internet Access" deactivates all traffic via the Internet. It is important to ensure that a private link is configured correctly before the setting is enabled. Otherwise there is a risk of locking oneself out of Fabric.

Figure 2: Screenshot from the Fabric Admin Portal

Subject area Private Link activation Activation of Block Public Internet Access setting
Governance One Lake Regional Endpoint is not supported (used to comply with data residency).
Microsoft Purview Information Protection is not supported, causing the Sensitivity button to be greyed out in Power BI, label information to be unavailable, and decryption of .pbix to fail.
Migration Inability to migrate workspaces to capacities in another region.
Tenant migrations are not supported.
Fabric trials are not supported.
Data Engineering Tenant must be in the home region where Fabric data engineering is supported (regardless of capacity region) to allow use of Spark jobs. Visual Queries in the Warehouse
If data are to be loaded into the lakehouse via pipeline, implementation is possible. If a data warehouse is involved, no support is currently available.
Data Engineering IoT Focus Shortcuts for Eventhouses are not possible. Event Stream feature is not usable
Inability to invoke Eventhouses from data pipelines.
Reading of data via queuing as well as data connectors which rely on queuing.
Eventhouse via T-SQL queries.
Data Analysis "Publish to Web" function is not available. Power BI semantic model, Datamart or Dataflow Gen1 cannot connect to a Power BI semantic model or Dataflow as a data source.
Reports cannot be exported to PDF or PowerPoint. E-mail subscriptions for dashboards and areas are no longer possible (brief component overviews are regularly sent to addressees).
On-premises Data Gateway does not work, a workaround is necessary here.
If both parameters are enabled, updates to the database for the modern usage metrics report fail.
User Experience Deployment of designs and external images to customize the Fabric portal.
Service Limits 450 capacities supported

Outbound Traffic for Destinations in Azure With Network Security

For outbound data traffic, access from Fabric to external data sources is of central importance. Different scenarios are possible here:

Scenario 1: Azure Storage / Data Lake Gen 2 behind firewall

Abbildung 3: Trusted-Workspace-Zugriff auf Azure Data Lake Gen 2 – eigene Darstellung
Figure 3: Trusted Workspace access to Azure Data Lake Gen 2 - own illustration

It is possible to whitelist all Fabric workspaces of the tenant or individual ones. Though all the tenant's workspaces can be specified, this is not recommended because the feature might be discontinued in future.

Individual workspaces can also be specified via the ARM template of the storage account / data lake:

"resourceAccessRules": [

      { "tenantId": " df96360b-9e69-4951-92da-f418a97a85eb",

         "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/Fabric/providers/Microsoft.Fabric/workspaces/b2788a72-eef5-4258-a609-9b1c3e454624"

      }

]

Here, however, only „b2788a72-eef5-4258-a609-9b1c3e454624“ is to be replaced with the own workspace ID. This can be found in the Fabric portal when invoking the workspace, and is indicated as part of the URL.

https://app.fabric.microsoft.com/groups/b2788a72-eef5-4258-a609-9b1c3e454624/list?experience=data-factory

In addition to the network, there is also identity as a security parameter 1. Therefore, the appropriate permissions still have to be set. Two access models are available here: Firstly, access-control lists and secondly, role-based access-control assignments (RBAC). For RBAC assignments, it is important to keep in mind that there are dedicated roles for data lakes and storage accounts (e.g. Storage Blob Data Reader).

Restrictions at a glance:

  • Currently only supported by Azure Data Lake Gen 2
  • Whitelisting at the individual instance level requires ARM template know-how
  • F-capacity neede

Scenario 2: Azure PaaS resources integrated into the network via private endpoints are to be accessed by Fabric.

This is not the case if Anonymus Blob Access is activated (only recommended for fewer use cases, as authentication is thus bypassed).

Figure 4: Vnet integration of a data lake via private endpoints.
Source: https://learn.microsoft.com/en-us/fabric/security/security-managed-vnets-fabric-overview

Here, it is possible to work in Fabric via managed private endpoints and managed Vnets

Figure 5: Managed private endpoint window - screenshot from workspace settings
Figure 6: Dialog for creating managed private endpoints - screenshot from workspace settings

This must then be approved in the Azure portal:

Figure 7: Networking tab of a data lake - screenshot from the Azure portal

After that, it is possible to access the data sources with notebooks and Spark job definitions via the private endpoints. Access via pipelines is currently not possible, however. Spark notebooks

require CPU power, for which a cluster of virtual machines is created in the background. By default, the machines share a standard network. In this scenario, an isolated, managed network is created during the first run.

Restrictions at a glance:

  • Spark jobs in on-demand clusters are less readily available than default pools.
  • Fabric data-engineering workloads must be supported for tenant and capacity region: This may result in restrictions for Switzerland West.
  • F-capacity needed.
  • OneLake shortcuts are not supported if pointing to connections to a data lake with private endpoints.

Another scenario mentioned here for the sake of completeness is connectivity to on-premises data sources. The on-premises data gateway can be used to access these data sources directly.

Ultimately, it can be said that the private-endpoint feature often being discussed currently is only relevant if a data source existent in Azure is to be connected. In this case, one should be aware that the data source needs to be loaded via notebooks / Spark job definitions. Access via pipelines is not possible.

Fabric itself or the capacity cannot be integrated into a network via a simple private endpoint. A more complex setup is needed for this purpose. A private link must be used, and the tenant settings for this link and/or the Block Public Internet Access setting must be activated.

However, companies wanting to avoid a use of network integration can also employ other security measures, as described at the beginning of the article. In the end: Fabric security means more than the use of private endpoints.

Who is b.telligent?

Do you want to replace the IoT core with a multi-cloud solution and utilise the benefits of other IoT services from Azure or Amazon Web Services? Then get in touch with us and we will support you in the implementation with our expertise and the b.telligent partner network.

Get to know us
The top of an office building on a bright day

Want To Learn More? Contact Us!

Caspar von Stülpnagel

Your contact person

Caspar von Stülpnagel

Managing Director

Related Posts

Open Source as an Alternative to Google's IoT Core
Open Source as an Alternative to Google's IoT Core

18.7.2023

20.1.2025

Automation & Operational Excellence

Open Source as an Alternative to Google's IoT Core

Many users of Google's IoT Core are currently looking for a successor to this service which will expire in August 2023. This blog post shows how Stackable's data platform can be used to create a highly scalable open-source alternative to Google's IoT Core.

Read more
Fabric Security: More Than Just Private Endpoints?
Fabric Security: More Than Just Private Endpoints?

28.10.2024

20.1.2025

Automation & Operational Excellence

Fabric Security: More Than Just Private Endpoints?

Many security considerations involving Azure revolve primarily around network security. Other important security aspects to be considered in the context of Microsoft Fabric are indicated below.

Read more
AWS-Based IoT Kick-Starter Platform
AWS-Based IoT Kick-Starter Platform

5.4.2024

20.1.2025

Automation & Operational Excellence

AWS-Based IoT Kick-Starter Platform

Lack of resources or technical challenges are often hurdles to establish the value and viability of IoT use cases, and present them later to project sponsors. Even for simple IoT use cases, sometimes weeks instead of days may be needed to produce tangible results. In this blog, we’ll present our IoT kick-starter platform that makes it possible to technically assess simple IoT use cases within a few days.

Read more
chevron left icon
Previous post
All posts
Next post
chevron right icon

No previous post

No next post

Automation & Operational Excellence
Tips & Tricks: The Repeat Loop as Performance Killer
New Feature: Option "Only Transfer Modified Files" In arcplan Administrator
Tips & Tricks: Removing Double Entries from a Column/Row
Tips & Tricks: Closing an Application from within the Application
Tips & Tricks: Checking Whether an Object Is There
Tips & Tricks: Increasing the Speed of Master Data Requests in SAP BW
Tips & Tricks: V-Lookup - Allocating Information Via Contingency Tables
New Feature: Function REPLACEEXPRESSION()
Best Practice: Do Not Extend Arrows Across Levels
Tips & Tricks: Switching Between Data Sources
Best Practice - arcplan Development Guidelines - Designing Documents
Tips & Tricks: READMETADATA() and PLACEMETADATA()
Instruction: Installing and Configuring IIS7
Intelligent Cross- & Up-Selling by the Use of Next Best Activity
Tips & Tricks: Arcplan and the Libraries
PROSET – Productivity Increase by Service Experience Management
Tips & Tricks: arcplan Background Report to connect to Databases
Increasing Campaign Profitability by Introducing SAS Marketing Optimization
Retention & WinBack
Forward-Looking Campaign Management in Online Gaming
Customer Intelligence in Existing Customer Management
Cross-Selling And Up-Selling Strategies For Call Centers
Tips & Tricks: Individual Selection as Performance Optimizer or Killer
Efficient CRM Success Measurement in Case of a ‘Video on Demand’ Supplier
Best Practice in CRM: Evaluation of a Sustainable Campaign Management System in the Financial Sector
arcplan Meets Hichert: Uniform Scaling Of Graphics
Proset - Research Project
Location Based Advertising
Old Meets New: Client Technologies for arcplan 8
MRM-Increasing Efficiency in Consultancy Services
arcplan Meets Hichert – Graphics With Outline Bars
Selfmade SPSS Frequency Analyses in R
Data Quality Management Remains Decisive Prerequisite for CRM
The Monty Hall Problem in 10 Python Lines
Looking Into the Data Science Toolbox
Roll-Out-Strategies for Campaign Management - Think Global, Act Local
Reformatting SPSS Value Labels for Output
Standardization of a Success Control Process in an Insurance Company
Calculating Wall Surface Areas in R on the Basis of Vectors
arcplan and its new Function "Assign"
Missing Values in Logistic Regression
The Customer Lifetime Value: Popular Errors and Unvarnished Truths
Campaign Management in the Mobile Engagement Environment
R Tips and Tricks - Part 1
Tips & Tricks: Transaction-Secured Inputs
Howto: Easy Web Scraping With Python
Instructions: HICHERT (IBCS) Out Of The Box
Uplift Modelling as Addition to Classic Response Modelling
Howto: Splitting Files With Standard Python Scripts
High Performance (Mental) Exercise With R
Howto: Connecting Cells by Means Of arcplan 8.6
Time Series Analysis Made Easy – Completely Without Analysis Tool
A Basket Full of Snakes: Python Modules for Data Science
Boosting For The Naive Bayes Classifier
Best Practice: Campaign Implementation
From SAS to R and back: Transfering SAS data Into an R System
Development Of A Powerful Data Science Team
Best Practice for SQL-Statements in Python
Handling SCD With the Oracle Data Integrator 12
The Requirement For Customer-Oriented Data Warehousing And The Opportunities It Creates
The Advanced Data Store Object and Its Tables
The Local Connection Arrow by Longview BI (formely arcplan)
How Stationary Trade Catches up to Online Shops With PoS Tracking Data
Analysis or App – What Does a Data Science Team Actually Produce?
The Highlights of Spark Summit 2016 in Brussels
SAP BW on HANA – Does a Cache Still Make Sense in ABAP Routines?
Enterprise Data Warehouse and Agile SQL Data Mart – SAP BW on HANA can do both – the “Mixed Scenario”
High Performance Lookups in BW Transformations in Practice - Introduction
SAP HANA – No More Memory? Implement Early Unload!
High Performance Lookups in BW Transformations - The Use of Internal Tables vs. SELECTS From the HANA Database
High Performance Lookups in BW Transformations - Selecting the Right Table Type
How Can I Slow Down HANA?
Performance Lookups in BW Transformation – Finding the Relevant Records
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 1)
Use Of The SCD Methodology By The Oracle Data Integrator 12
Performance Lookups in BW Transformations - Initial Aggregation of Selected Data
Data Warehouse Automation (Part 1)
Caret: A Cornucopia of Functions For Doing Predictive Analytics In R
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 2)
Staging Area: Potential in Comparison to Source System
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 3)
SAP HANA – Early Unload – Automate & Save Memory
How To: Who Should Check ETL Applications?
What is SAP BW/4 HANA And How Does It Differ From SAP BW on HANA 7.5?
CompositeProvider and a “Hidden” Function
Howto: Cell Input Control for Planning Solutions in Longview
Generating external HANA views
Absolutely Not Untyped!
Industry 4.0 and Business Analytics - More Room for Innovative Power
Next Best Activity in Energy Supply: Challenges and Opportunities At the Inbound Call Center
How-To: CSV to Kafka With Python and confluent_kafka (Part 1)
Three Approaches to Inter Company Coordination in Planning
How-To: CSV to Kafka With Python and confluent_kafka (Part 2)
Snapshot Generation in HR Reporting With ADSOs
7 Factors For Successful Introduction Of Marketing Automation
Data Warehouse Automation (Part 2)
The Basic Ideas behind Recommendation Systems
Snowflake Cloud DB and Python: “Two Good Friends”
Best Practice: Working With Paths In Python (Part 1)
Very Best Practice: Working With Paths In Python - Part 2
Tips & Tricks: The Repeat Loop as Performance Killer
New Feature: Option "Only Transfer Modified Files" In arcplan Administrator
Tips & Tricks: Removing Double Entries from a Column/Row
Tips & Tricks: Closing an Application from within the Application
Tips & Tricks: Checking Whether an Object Is There
Tips & Tricks: Increasing the Speed of Master Data Requests in SAP BW
Tips & Tricks: V-Lookup - Allocating Information Via Contingency Tables
New Feature: Function REPLACEEXPRESSION()
Best Practice: Do Not Extend Arrows Across Levels
Tips & Tricks: Switching Between Data Sources
Best Practice - arcplan Development Guidelines - Designing Documents
Tips & Tricks: READMETADATA() and PLACEMETADATA()
Instruction: Installing and Configuring IIS7
Intelligent Cross- & Up-Selling by the Use of Next Best Activity
Tips & Tricks: Arcplan and the Libraries
PROSET – Productivity Increase by Service Experience Management
Tips & Tricks: arcplan Background Report to connect to Databases
Increasing Campaign Profitability by Introducing SAS Marketing Optimization
Retention & WinBack
Forward-Looking Campaign Management in Online Gaming
Customer Intelligence in Existing Customer Management
Cross-Selling And Up-Selling Strategies For Call Centers
Tips & Tricks: Individual Selection as Performance Optimizer or Killer
Efficient CRM Success Measurement in Case of a ‘Video on Demand’ Supplier
Best Practice in CRM: Evaluation of a Sustainable Campaign Management System in the Financial Sector
arcplan Meets Hichert: Uniform Scaling Of Graphics
Proset - Research Project
Location Based Advertising
Old Meets New: Client Technologies for arcplan 8
MRM-Increasing Efficiency in Consultancy Services
arcplan Meets Hichert – Graphics With Outline Bars
Selfmade SPSS Frequency Analyses in R
Data Quality Management Remains Decisive Prerequisite for CRM
The Monty Hall Problem in 10 Python Lines
Looking Into the Data Science Toolbox
Roll-Out-Strategies for Campaign Management - Think Global, Act Local
Reformatting SPSS Value Labels for Output
Standardization of a Success Control Process in an Insurance Company
Calculating Wall Surface Areas in R on the Basis of Vectors
arcplan and its new Function "Assign"
Missing Values in Logistic Regression
The Customer Lifetime Value: Popular Errors and Unvarnished Truths
Campaign Management in the Mobile Engagement Environment
R Tips and Tricks - Part 1
Tips & Tricks: Transaction-Secured Inputs
Howto: Easy Web Scraping With Python
Instructions: HICHERT (IBCS) Out Of The Box
Uplift Modelling as Addition to Classic Response Modelling
Howto: Splitting Files With Standard Python Scripts
High Performance (Mental) Exercise With R
Howto: Connecting Cells by Means Of arcplan 8.6
Time Series Analysis Made Easy – Completely Without Analysis Tool
A Basket Full of Snakes: Python Modules for Data Science
Boosting For The Naive Bayes Classifier
Best Practice: Campaign Implementation
From SAS to R and back: Transfering SAS data Into an R System
Development Of A Powerful Data Science Team
Best Practice for SQL-Statements in Python
Handling SCD With the Oracle Data Integrator 12
The Requirement For Customer-Oriented Data Warehousing And The Opportunities It Creates
The Advanced Data Store Object and Its Tables
The Local Connection Arrow by Longview BI (formely arcplan)
How Stationary Trade Catches up to Online Shops With PoS Tracking Data
Analysis or App – What Does a Data Science Team Actually Produce?
The Highlights of Spark Summit 2016 in Brussels
SAP BW on HANA – Does a Cache Still Make Sense in ABAP Routines?
Enterprise Data Warehouse and Agile SQL Data Mart – SAP BW on HANA can do both – the “Mixed Scenario”
High Performance Lookups in BW Transformations in Practice - Introduction
SAP HANA – No More Memory? Implement Early Unload!
High Performance Lookups in BW Transformations - The Use of Internal Tables vs. SELECTS From the HANA Database
High Performance Lookups in BW Transformations - Selecting the Right Table Type
How Can I Slow Down HANA?
Performance Lookups in BW Transformation – Finding the Relevant Records
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 1)
Use Of The SCD Methodology By The Oracle Data Integrator 12
Performance Lookups in BW Transformations - Initial Aggregation of Selected Data
Data Warehouse Automation (Part 1)
Caret: A Cornucopia of Functions For Doing Predictive Analytics In R
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 2)
Staging Area: Potential in Comparison to Source System
The Effective Use of Partition Pruning for the Optimisation of Retrieval Speed (Part 3)
SAP HANA – Early Unload – Automate & Save Memory
How To: Who Should Check ETL Applications?
What is SAP BW/4 HANA And How Does It Differ From SAP BW on HANA 7.5?
CompositeProvider and a “Hidden” Function
Howto: Cell Input Control for Planning Solutions in Longview
Generating external HANA views
Absolutely Not Untyped!
Industry 4.0 and Business Analytics - More Room for Innovative Power
Next Best Activity in Energy Supply: Challenges and Opportunities At the Inbound Call Center
How-To: CSV to Kafka With Python and confluent_kafka (Part 1)
Three Approaches to Inter Company Coordination in Planning
How-To: CSV to Kafka With Python and confluent_kafka (Part 2)
Snapshot Generation in HR Reporting With ADSOs
7 Factors For Successful Introduction Of Marketing Automation
Data Warehouse Automation (Part 2)
The Basic Ideas behind Recommendation Systems
Snowflake Cloud DB and Python: “Two Good Friends”
Best Practice: Working With Paths In Python (Part 1)
Very Best Practice: Working With Paths In Python - Part 2
Introduction To Continuous Integration in the Development of Data Warehouse Systems
BCBS 239 - An Opportunity for Efficient Business Intelligence in the Banking Sector
Customer Data Platform - The New Silver Bullet in Marketing?
Customer Data Platform - An Overview of Categories
SAP BW - Optimization With Distinct Count, or “How To Count My Clients”
Extending On-Premises Data Solutions to Snowflake on Azure
Customer Data Platforms – A Classification
Customer Data Platforms - Evaluation As A Success Factor
SAP BusinessObjects 4.2 SP07 and a Look Into the Future
Reinforcement Learning, Bayesian Statistics And Tensorflow Probability: A Child's Game (part 1)
SAP BW Query - Efficient Use of Filters With Large Data Volumes, Or: “How Do I Speed Up the Filters?”
Data Privacy in DWH
Neural Averaging Ensembles for Tabular Data With TensorFlow 2.0
Reducing Complexity in Campaign Management by Marketing Resource Management
Data Preparation for Qlik Sense and Tableau
Recommender Systems – Part 3: Personalized Recommender Systems, ML and Evaluation
Data Migration With Exasol – From DWH To High-Performance Cloud Platform
Data Science for Kids: How To Win at “Guess Who?”
Visualizations in Reports (And What Needs To Be Considered Here)
Three Basics of BI Quality Management
Python in Power BI
Martech Capabilities - Tell Me Where You Stand and I’ll Tell You What You Need
IoT Adoption Framework: 6 Steps for Successful IoT Projects
The Do’s and Don’Ts of Selecting a Marketing Cloud – Finding the Right Tool
Martech Architecture: A Map In The Technology Labyrinth
The b.telligent Azure Academy: How I Became an Azure Pro in Four Months
Blueprint: Cloud Data Platform Architecture – Part 1: Ingestion
Blueprint: Cloud Data Platform Architecture – Part 2: Data Lake
Blueprint: Cloud Data Platform Architecture – Part 3: Analytics
Iot Readiness Assessment - Is Your Company Ready for the Internet of Things?
Hints and Tips for Faster Tableau Data Sources
The Essence of Data – Distillation in SQL
Parallel Execution of SQL Statements in LUA Scripts
The Lakehouse Approach – Cloud Data Platform on AWS
The SAP Analytics Cloud – Story vs. Analytics Designer
How To Install Ray Under Windows
IoT Ingestion With AWS Greengrass
Power Bi With Large Data Quantities: Three Pragmatic Tips
Power BI or Tableau? A Comparison From Developer’s Point of View
IoT Data Processing - Part 1: Azure Synapse Analytics
Iot Data Processing – Part 2: Azure Stream Analytics & Functions
SAP Analytics Cloud – Live vs. Import Connection
Sap Analytics Cloud – User and Operating Concept
Quantile Regression With Gradient Boosted Trees
Coordinate Goals, Strategy, Organization and Governance
Data Platforms: Complete, Performant and Secure
Internationalization with Power BI
Implementing a Key Figure Dimension in Power BI
End of Support for SQL Server 2012: 12.07 Is the Last Day!
SAP BW Bridge – SAP Data Warehouse Cloud
Vertex AI Pipelines - Getting Started
Use of Private Python Packages in Vertex AI - 3
LightGBM On Vertex AI
Tableau Sets – Create and Use Data Subsets Dynamically
Do You Still Regulate Data or Are You Already Democratizing?
Marketing Resource Management: An Overview of Providers
Automate Marketing Workflows With MRM Software
Performance Insights via the MRM Monitoring Component
Deliver Projects Faster With Python Ibis Analytics
SAC – User-Centred Visualization of Data With Custom Widgets
Computer Vision 101: How Machines Learn To See
Data Mesh: b.telligent ́s Considerations and Service Portfolio
How To Set Up a GDPR Compliant Data Lake From Scratch – Part 1
How To Set Up a GDPR Compliant Data Lake From Scratch – Part 2
How To Set Up a GDPR Compliant Data Lake From Scratch – Part 3
Planning and Data Strategy – How Compatible Are They?
Open Source as an Alternative to Google's IoT Core
Large Language Models – An Overview Of The Model Landscape
Sizing a Redshift Database for a Cloud DWH
Brief Guide to Using Generative AI and LLMs
Microsoft Fabric: Migration - Advantages & Chances?
Sap Analytics Cloud – The New Optimized Story Experience
The Digital Product Passport - The Opportunity for Companies!
Azure IoT Operations – New Opportunities with Kubernetes
Automated Image Processing: A Standard Architecture
AWS-Based IoT Kick-Starter Platform
Build Bridges: SAP BW Meets Microsoft Power Bi
How Mature Is Your ML Approach?
Data Platform Migration
Efficient Distance Joins in Polars
Sizing and Scaling Azure AI Search
Fabric Security: Potentials & Limits of the Network Setup
SAP Data Integration Into Microsoft’s Azure Cloud
Fabric Security: More Than Just Private Endpoints?
Extending AWS Redshift’s Data Processing With AWS Compute Services