Data Explorer - Private Endpoint or VNET Integration

Yarash Agarwal 1 Reputation point
2022-07-21T11:45:19.83+00:00

Data Explorer Clusters can be connected to VNETs using both private endpoint and VNET integration. Using VNET integration seems like a better option since you do not need to configure NSGs (managed through delegation) and you get a private IP and URI for your cluster. What are the use cases for the private endpoint for Data Explorer and which one is recommended? Also, when you deploy a Data Explorer Cluster with VNET integration, a external load balancer gets deployed as well which has no backends ( and rightly so). The question is why is an ELB deployed with VNET integrated Data Explorer cluster?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,167 questions
Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
484 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
469 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre-Luc Giguere 1,076 Reputation points
    2022-07-21T12:32:33.86+00:00

    Hi,

    I do not pretend to be an expert but I will share my understanding and the sources I used to get that understanding.

    • The question is why is an ELB deployed with VNET integrated Data Explorer cluster?

    Since you are deploying a cluster, you need a way to set redundancy and to split the load.

    According to the subnet size (https://learn.microsoft.com/en-us/azure/data-explorer/vnet-deployment#plan-subnet-size-in-your-vnet) it seems that the pair of load balancers is Zonal (https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zonal) so you have 2 ELB in two zones.

    • What are the use cases for the private endpoint for Data Explorer and which one is recommended?

    I won't go into the details of a use case for Data Explorer since I'm not familiar enought with it. But I can talk about Private Endpoint in general.

    "[A]ny routes in your virtual network that force internet traffic to your on-premises and/or virtual appliances also force Azure service traffic to take the same route as the internet traffic."

    "Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic."

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits

    In other words, traffic without endpoints is flowing into public sector and COULD be seen by others. With private endpoint, no.

    Your choice should be guided by your data. PII should be isolated, public data might not require that level of protection.

    Hope it helps.

    0 comments