Network Security In Microsoft Fabric

Blogs

Effortless Partition Management : Automate your SQL server partitions
July 27, 2024
Python automation script to check data in src database v/s hive table
July 28, 2024
0

Network Security In Microsoft Fabric

Introduction

Microsoft Fabric is a comprehensive platform designed to meet all the analytical needs of an enterprise. As a SaaS platform, it is fully managed over the internet. In contrast, the security aspects of IaaS and PaaS services can be customized and enhanced in a conventional manner, similar to other major cloud providers.

Diving into Microsoft Fabric’s Network Security:

Network security in Microsoft Fabric can be categorized into two main aspects:

  1. Inbound Security: This involves restrictions on incoming traffic from external sources attempting to access a specific network. These rules are checked and, if validated, allow interaction with resources within the network.
  2. Outbound Security: This pertains to traffic or data packets leaving the network. Before exiting, the traffic is validated through outbound rules, ensuring that data packets or requests from resources within the network are evaluated before they are allowed to leave.

Why is this Important?

We focus on network security for two main reasons:

  1. Ensuring that users can connect to Fabric using a dedicated network rather than the public internet (inbound traffic security).
  2. Securely connecting to any Azure or external resource to read data, ensuring that data exchange occurs via a managed private route (outbound traffic security).

 

How Fabric Security Works-

When a user accesses the Fabric portal, they are authenticated through Microsoft Entra ID, which manages credentials and verifies the user’s identity. Entra ID provides a session token that is sent to the Web Front-end. The Web Front-end uses this token to forward the user’s query, along with the session token, to the Metadata Platform.

The Metadata Platform, located in the tenant’s region, contains user permissions at both the fabric item and workspace levels. It operates within a secure network with protected endpoints for data transfer.

The Backend Platform, where storage (One Lake) and computation occur, is situated in the region configured for the capacity.

Once authenticated via Entra ID, the user’s request is handled by the Web Front-end, which then queries the Metadata Platform to verify permissions for the requested operation. If the user is authorized, the Metadata Platform sends the data request through the Microsoft backbone network to the Backend Platform. The Backend Platform performs the required computations, stores the data in the data lake, and sends the results back to the Web Front-end, allowing the user to see the final results.

 

The below section talks about the different network security aspects of Fabric:-

 

INBOUND Techniques Used For Network Security In Fabric:

Lets start with methods available to make sure traffic coming inside the Fabric is secure :-

Entra Conditional Access:

Entra Conditional Access can be set up in the Azure Portal by navigating to Security -> Add + Conditional Policy. This feature allows administrators to implement restrictions on users, including additional security measures such as multi-factor authentication (MFA), network location requirements, and device compliance checks.

Private Links:

Private Links can be configured directly in the Azure resource. This involves placing the resource within a virtual network (VNet) with a private IP address. This private IP can then be linked to a Private Link, enabling secure communication with Microsoft Fabric. To facilitate this, two tenant settings must be enabled:

  • Block Public Access: Restricts any public internet access to Fabric.
  • Azure Private Link: When enabled, it allows Fabric to associate with any Private Link for accessing data sources securely.

The process to create private link is –https://learn.microsoft.com/en-us/fabric/security/security-private-links-use

The above two options can help restrict the overall public access and only allow secured private network to access Microsoft Fabric.

 

OUTBOUND Techniques Used For Network Security In Fabric:

Now lets look at the methods available to make sure the data source protected via firewall is access by Fabric in a secure way:-

Private Managed Endpoints:

This method is specific to the Synapse Data Engineering component of Microsoft Fabric and is available for F-64 (or higher) capacity workspaces. It creates a secure connection to Azure resources such as Azure SQL Databases, ADLS Gen2, and KQL Database. This process places the Spark engines in a separate virtual network, which connects to the Azure resources via a private managed endpoint. Note that using this method, the Spark notebook won’t be able to use the starter spooler and will require 5-6 minutes to start the Spark clusters.

Steps to Enable:

  1. Create an Azure SQL Database: Ensure that public access is disabled for the connection.
  2. Retrieve Resource ID:
    • Go to “Properties” in the Settings Pane on the left side inside the Azure resource.
    • Copy the Resource ID from the right pane.
  3. Configure in Workspace Settings:
    • Click on the Settings icon in the workspace.
    • Navigate to “Network Security” and click on the “Create” option.
    • Follow the configuration as shown in the image below.

 

Next, configure the following parameters:

  • Endpoint Name: Choose any name you prefer.
  • Resource Identifier: Paste the ID copied in Step 2.
  • Target Sub-resource: This option will display the name of the Azure resource.
  • Request Message: This is the message sent to the Azure resource requesting approval for the creation of the managed private endpoint.

After configuration, the status will show as “Pending” in the workspace network security settings.

Step 4: Go to the Azure resource and click “Approve” to approve the creation of the private endpoint, establishing a secure connection to the Fabric workspace.

 

Trusted Workspace Access:

To create a workspace identity, go to the workspace identity section and click on the “+Workspace Identity” button. Please note that this option is only available for F-64 or higher capacities, and not for trial capacities.

 

 

 

 

 

 

 

 

 

 

This feature enables connectivity to external sources, like ADLS Gen2, that are protected by a firewall with no public internet access. By creating a workspace identity and configuring it in the Azure portal, you can use an ARM template to grant this identity access to ADLS Gen2.

 

In the “Resource Instances” section, you can see the configuration details where the instance name includes “Workspace Identity,” indicating which specific workspace has access to the ADLS Gen2 account.

 

 

Conclusion-

The blog outlined various methods for configuring network security related to inbound and outbound traffic. Additionally, there are numerous alternative approaches depending on the business case and the administrative needs for data security and management.

 

Thanks for reading the blog!

 

-Manan Choudhary

 

 


Manan Choudhary

Data Sturdy
Data Sturdy

Related posts

March 31, 2025

Power BI vs. Apache Superset

Read more
February 6, 2025

DeepSeek: The Rise of China’s AI Powerhouse

Read more
January 9, 2025

The Impact of Filter Context on Power BI Performance

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *