Azure Synapse - advantages Managed VNet?

Question

Hi all,

Simple question: what are the advantages of a Synapse workspace within a separate VNet? Most obvious reason I can think of is more secure, because you only allow communication through managed private endpoints.

But then my question is: wouldn't you get the same security if you create a Synapse workspace (without managed VNet) and (1) remove all IPs in networking settings, (2) disable public network access and (3) add private endpoints for your sql/sqlpool/dev in whatever VNet your users are on.

Hope my question is clear and very curious to hear some thoughts on this.

Best,
Joey

Answer 1

Hello @Joey Sun ,

Welcome to the Microsoft Q&A platform.

You can only use private links in a workspace that has a Managed workspace Virtual Network.

To create an Azure Synapse workspace that has a Managed workspace Virtual Network associated with it, select the Networking tab in Azure portal and check the Enable managed virtual network checkbox.

Azure Synapse workspace with Managed Virtual Network:

If you leave the checkbox unchecked, then your workspace won't have a Virtual Network associated with it.

Azure Synapse workspace without Managed Virtual Network:

Note: Managed private endpoints are available after an integration runtime is enabled with a Managed Virtual Network.

For more details, refer to Azure Synapse Analytics Managed Virtual Network.

Hope this will help. Please let us know if any further queries.

------------------------------

• Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
• Want a reminder to come back and check responses? Here is how to subscribe to a notification
• If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Answer 2

The benefits might not be immediately apparent but lets address this question:

But then my question is: wouldn't you get the same security if you create a Synapse workspace (without managed VNet) and (1) remove all IPs in networking settings, (2) disable public network access and (3) add private endpoints for your sql/sqlpool/dev in whatever VNet your users are on.

1. The IP range has a specific function. It controls the access to the workspace itself not data ingress. You can limit the IP range and then connect to data from anywhere
2. The Managed VNET restricts the sources from which you can ingest data to the workspace so only sources which can sit behind a Managed Private Endpoint can be consumed. Side Notes
   a) On-premise sources using a selfhosted IR are not protected by an private endpoint - I assume the SelfHosted IR is considered inside the Managed VNET and is secure
   b) I've really struggled /failed to get other sources connected (REST, Office 365) and can't find much documentation for it.
3. Exfiltration Protection protects where you can save data to so protects the other way.
4. Disabling Public network access can only be enabled if a Managed VNET is in place. The same is true Data Exfiltration.
5. Private End Points in your VNET only allow for private access to the Workspace and resources they do not enforce them, the documentation states

Alternatively, you can connect to your workspace using a managed private endpoint and private Link. Azure Synapse workspaces without the Azure Synapse Analytics Managed Virtual Network do not have the ability to connect via managed private endpoints."

So your hypothesis would not provide the protection that a Managed VNET would. Hope this clears up the specifics if not the more general question of "what's the point?".