Microsoft Fabric offers a suite of powerful tools for data engineering, data science, and analytics. When security is a top priority, Azure Private Link is the solution you need. Private Link enables secure access to various Fabric experiences by routing traffic through a private connection within the Microsoft backbone network, rather than exposing it to the public internet.

Let’s delve into the specifics of how Private Link integrates with different components of Fabric:

Onelake: Secure Data Lake Access

Fabric’s unified data lake, Onelake, seamlessly supports Private Link. You have the flexibility to explore Onelake directly through the Fabric portal or interact with it from any machine within your established Virtual Network (VNet). Popular tools like Azure Storage Explorer, PowerShell, and others remain fully compatible.

• Important Note: Direct calls to Onelake regional endpoints using Private Link are not currently supported. For detailed guidance on connecting to Onelake, refer to the official Microsoft documentation on “How do I connect to OneLake?“.

Warehouse, Lakehouse, and SQL Endpoints: Enhanced Protection

Private Link safeguards access to your Warehouse items and Lakehouse SQL endpoints within the Fabric portal. Additionally, if you utilize Tabular Data Stream (TDS) endpoints for connecting with tools like SQL Server Management Studio or Azure Data Studio, Private Link extends its protection to those connections as well.

• Key Consideration: The “Visual query in Warehouse” feature will be unavailable if the “Block Public Internet Access” tenant setting is enabled in Fabric.

Lakehouse, Notebooks, Spark, and Environments: Private Networking

Enabling the Azure Private Link tenant setting triggers an important change: Your first Spark job (executed through a Notebook or Spark job definition) or any Lakehouse operation will automatically provision a dedicated managed virtual network specifically for your Fabric workspace.

• Impact on Starter Pools: This change means that the default “starter pools” for Spark, which reside in a shared virtual network, will become disabled. Your Spark jobs will now run on custom pools that are created dynamically within your secure, managed virtual network.
• Workspace Migration: Keep in mind that migrating a workspace across capacities located in different regions is not possible when your workspace has a managed virtual network allocated to it.
• Regional Support: Spark jobs won’t work for tenants whose home region doesn’t support Fabric Data Engineering, even if they use Fabric capacities from other regions that do.

Dataflow Gen2: Secure Data Transformations

Private Link enables the secure use of Dataflow Gen2 for data retrieval, transformation, and publishing. When your data sources are protected behind a firewall, the VNet data gateway provides a crucial solution. This gateway seamlessly injects a gateway (compute) node into your existing virtual network, offering a managed gateway experience. Through the VNet gateway, you can establish connections to a Lakehouse or Warehouse in a Private-Link-enabled tenant or access other data sources within your network.

Pipelines, ML Models, and More: Comprehensive Private Link Coverage

You can confidently use Pipelines, ML Models, Experiments, and AI skills within Fabric while maintaining a secure private-link environment. Fabric’s private link functionality allows you to create and operationalize data pipelines, including activities like Notebook and Dataflow activities.

Power BI: Understanding the Trade-offs

It’s important to understand that certain Power BI features will be unavailable when Fabric’s Private Link is enabled:

• Publish to Web
• Email subscriptions
• Exporting Power BI reports as PDF or PowerPoint
• Modern usage metrics reports: These reports will contain only partial data (limited to Report Open events) due to limitations in transferring certain client information over private links.

Other Fabric Items and Microsoft Purview Information Protection

• KQL Database and EventStream: These components don’t currently support Private Link. They will automatically be disabled when you activate the “Block Public Internet Access” tenant setting to ensure compliance.
• Microsoft Purview Information Protection: Compatibility with Private Link is not yet available. As a workaround, you could utilise service tags to enable access to certain related services

Geetha S