Share via

Synapse Integration Runtime with public subtype when Managed virtual network is enabled

Finn Schmidt 86 Reputation points
2024-08-29T08:40:24.7166667+00:00

Hello,

I have created a synapse analytics workspace with managed virtual network enabled. This is so that I can use private endpoints to access a sql database that has public access disabled. The access to this resource uses a newly created integration runtime with the subtype Managed Virtual Network.

For a secondary process, I want to create a pipeline that calls a webactivity to a resource not within the virtual network - not within any virtual network in fact. Thus i want to use an integration runtime with the public subtype. However, the workspace doesn't allow creating integration runtimes with virtual network disabled:

grafik

and even the AutoResolveIntegrationRuntime (created by default) has the Managed Virtual Network enabled

grafik

Using any of these integration runtimes, I am unable to access public resources, outside the virtual network. Here a simple repro-example, trying to access google in a web activity:

grafik

{ "errorCode": "2108", "message": "Error calling the endpoint 'https://www.google.com'. Response status code: 'NA - Unknown'. More details: Exception message: 'NA - Unknown [ClientSideException] An error occurred while sending the request.'.\r\nRequest didn't reach the server from the client. This could happen because of an underlying issue such as network connectivity, a DNS failure, a server certificate validation or a timeout. ", "failureType": "UserError", "target": "Web1", "details": [] }

grafik

Is it really not possible to access public resources from a synapse workspace with managed virtual network enabled, without creating a (redundant) private endpoint to each? Is there some setting I am missing?

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,917 questions
Accepted answer
  1. phemanth 10,325 Reputation points Microsoft Vendor
    2024-08-29T13:31:59.7466667+00:00

    @Finn Schmidt

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    you’re encountering a common challenge when working with Azure Synapse Analytics and managed virtual networks. Here are a few points to consider:

    1. Public Network Access: When you enable a managed virtual network for your Synapse workspace, it restricts access to public networks by default. This is designed to enhance security by preventing data exfiltration.
    2. Integration Runtime: The integration runtime within a managed virtual network cannot access public resources directly. This is why your web activity to access Google is failing. The error message indicates that the request didn’t reach the server, likely due to network restrictions.
    3. Solutions:
      • Self-Hosted Integration Runtime: You can set up a self-hosted integration runtime outside the managed virtual network. This runtime can access public resources and communicate with your Synapse workspace.
      • Public Network Access Configuration: You can enable public network access for your Synapse workspace. This allows incoming public network connectivity to your workspace, but it might not be the best practice from a security standpoint.
    4. Private Endpoints: If you need to access specific public resources frequently, creating private endpoints for those resources might be necessary, even though it seems redundant.

    please refer below links for detailed information:

    1: Azure Synapse connectivity settings

    2: Managed virtual network - Azure Synapse Analytics

    Hope this helps. Do let us know if you any further queries.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.