Overview of managed private endpoints for Fabric
Managed private endpoints are feature that allows secure and private access to data sources from Fabric Spark workloads.
What are Managed Private Endpoints?
Managed private endpoints are connections that workspace admins can create to access data sources that are behind a firewall or that are blocked from public internet access.
Managed private endpoints allow Fabric Spark workloads to securely access data sources without exposing them to the public network or requiring complex network configurations.
The private endpoints provide a secure way to connect and access the data from these data sources using items such as notebooks and Spark job definitions.
Microsoft Fabric creates and manages managed private endpoints based on the inputs from the workspace admin. Workspace admins can set up managed private endpoints from the workspace settings by specifying the resource ID of the data source, identifying the target subresource, and providing a justification for the private endpoint request.
Managed private endpoints support various data sources, such as Azure Storage, Azure SQL Database and many more.
For more information about supported data sources for managed private endpoints in Fabric, see Supported data sources.
Limitations and considerations
Starter pool limitation: Workspaces with managed virtual networks (VNets) can't access starter pools. This category encompasses workspaces that use managed private endpoints or are associated with a Fabric tenant enabled with Azure Private Links and have executed Spark jobs. Such workspaces rely on on-demand clusters, taking three to five minutes to start a session.
Managed private endpoints: Managed private endpoints are supported for Fabric trial capacity and all Fabric F SKU capacities.
Tenant Region Compatibility: Managed private endpoints function only in regions where Fabric Data Engineering workloads are available. Creating them in unsupported Fabric Tenant home regions results in errors. These unsupported Tenant home regions include:
Region Singapore Israel Central Switzerland West Italy North West India Mexico Central Qatar Central Spain Central Brazil South Capacity Region Compatibility: Managed private endpoints function only in regions where Fabric Data Engineering workloads are available. Creating them in unsupported capacity regions results in errors. These unsupported regions include:
Region West Central US Switzerland West Italy North Qatar Central West India France South Germany North Japan West Korea South Southafrica West UAE Central Brazil South Singapore Central US Spark job resilience: To prevent Spark job failures or errors, migrate workspaces with managed private endpoints to any Fabric F SKU capacity.
Workspace migration: Workspace migration across capacities in different regions is unsupported.
OneLake shortcuts do not yet support connections to ADLS Gen2 storage accounts using managed private endpoints.
Creating a managed private endpoint with a fully qualified domain name (FQDN) is not supported.
These limitations and considerations might affect your use cases and workflows. Take them into account before enabling the Azure Private Link tenant setting for your tenant.