Create a private or service endpoint to event hub and Azure Storage
Warning
Virtual Network Injection will be retired for Azure Data Explorer by 1 February 2025. For more information on the deprecation, see Deprecation of Virtual Network Injection for Azure Data Explorer.
Azure Virtual Network (VNet) enables many types of Azure resources to securely communicate with each other. Azure Private Link enables you to access Azure Services and Azure hosted customer-owned/partner services over a Private Endpoint in your virtual network. A Private Endpoint uses an IP address from your virtual network’s address space for the Azure service to securely connect between Azure Data Explorer and Azure services such as Azure Storage and event hub. Azure Data Explorer accesses the Private Endpoint of the storage accounts or event hubs over the Microsoft backbone, and all communication, for example, data export, external tables, and data ingestion, takes place over the private IP address.
In contrast to a Private Endpoint, a service endpoint remains a publicly routable IP address. A Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.
This article shows you how to create a connection between Azure Data Explorer and event hub or Azure Storage.
Prerequisites
Private Endpoint
Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network.
Allow access to Azure Storage Account from Azure Data Explorer Subnets using a Private Endpoint
For a tutorial on how to create a Private Endpoint in your Azure Storage account, see Tutorial: Connect to a storage account using an Azure Private Endpoint.
Within this tutorial, select the virtual network where the Azure Data Explorer subnet exists, and the Azure Data Explorer subnet.
Service Endpoint
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks.
Allow access to Azure Storage account from Azure Data Explorer subnets using a service endpoint
This section shows you how to use Azure portal to add a virtual network service endpoint. To limit access, integrate the virtual network service endpoint for this Azure Storage account.
Add a virtual network
Navigate to the storage account you want to secure.
In the left-hand menu, select Firewalls and virtual networks.
Enable access from Selected networks.
Under Virtual Networks, select + Add existing virtual network.
Add networks pane
In the right-hand Add networks pane, select your Azure subscription.
Select the virtual network from the list of virtual networks, and then pick the subnet.
Note
Enable the service endpoint before adding the virtual network to the list. If the service endpoint is not enabled, the portal will prompt you to enable it.
Select Add.
Save and verify virtual network settings
Select Save on the toolbar to save the settings.
Wait for a few minutes for confirmation to appear on the portal notifications.