We wrote an article introducing this feature when it was newly announced last year. In case you haven’t read it, here is the article link: Azure Data Factory Managed Virtual Network(Preview). We did not dive deep into the setup/steps required. Hence, in this article, we will provide detailed steps to leverage this security feature provided by Microsoft Azure.
Let’s set the scene. Imagine that you want to connect to the Azure Blob storage source in the Azure Data Factory Copy activity. We assume that you have a storage account and an Azure Data Factory/ Azure Synapse Analytics created. Let’s get started!
Step 1: Assign Storage blob data contributor to the ADF/Azure Synapse workspace on the Blob Storage account.
There are three ways to authenticate the Azure Data Factory/Azure Synapse Analytics to the Azure Storage account. viz. Account Key, Service Principle and the Managed Identity. We have discussed this in great detail in the following article: Managed Identity between Azure Data Factory and Azure storage. Moreover, we have also shown how to grant the storage blob data contributor access to the storage account.
For instance, for this demo, we have created blob storage with the name managedvnetblobstore. Open the blob storage in the Azure portal and go to Access Control(IAM) to Add role assignment.
Add the Azure Data Factory managed-vnet-adf as the storage blob data contributor as shown below:
Step 2:Create an Azure Data Factory Integration Runtime (or Azure Synapse Analytics IR)
To create an IR with a managed VNET, open Azure Data Factory. Open settings and create a new Azure Data Factory Integration runtime with Virtual Network configuration enabled.
Step 3:Create a Managed private endpoint
Next, under Azure Data Factory/Azure Synapse Analytics settings, go to Managed private endpoints option and create a new endpoint for Azure Blob storage.
Step 4: Approve the private link in the storage account.
To approve the private link, go to the blob storage managedvnetblobstore. Further, you will find the created private endpoint under the Private endpoint connections of the networking section. Approve the connection.
Step 5: Validate the connection
Finally, open the copy data activity, create a dataset and a linked service to the blob storage in order to validate the connection through the managed private endpoint.
Hope this article helps. Please note that this is for information. We do not claim any guarantees regarding the approach/code. Encourage readers to try it for themselves.
Lastly, know more about this feature here. Please note that this also applies to Azure Synapse Integration Service.