Azure purview aka MS purview for Databases deployment pratices

Question

I am planning to find the best landing zone strategy for Purview deployment. However, Azure purview deployment map is completely isolated from Azure landing zone map. The new landing zone has Platform - Identity, Management (shared resources), Connectivity and Application landing zone. Based on new Landing zone architecture the only place I think of deploying Purview or SHIR in the management (share) Landing zone vnet. Would it be the best approach for purview and SHIR and deployment.

Additionally, when using Managed Virtual Network (Managed VNet) with Azure Integration Runtime (IR) in Microsoft Purview, the underlying virtual network is fully managed by Microsoft. This means you don't get visibility or control over its IP address range, subnets, or network configuration.

Considering, I do not have any control over to plan the flow of purview-based traffic from Azure VWAN, I guess the best option to have control is to deploy SHIR on prem and cloud private network deployment.

Wonder why there not clear and succinct document of purview integration with the AZ landing zone and clearly highlighted limitation of managed vnet IR.

Answer 1

@Prasant Chettri

Thanks for reaching out to Microsoft Q&A.

When planning the deployment of Microsoft Purview (formerly Azure Purview) within the context of Azure landing zones, it’s essential to consider the architecture and best practices for optimal integration.

Deployment Strategy

Landing Zone Placement:

• Deploying Purview in the Management (Shared) Landing Zone is a sound approach. This allows you to centralize governance and management resources, which is crucial for data governance and compliance.
• Ensure that your Purview account is set up within a managed resource group to facilitate easier management and scaling.

Managed Virtual Network (Managed VNet):

• As you noted, using a Managed VNet with Azure Integration Runtime (IR) means you lose some control over the network configuration. This can limit your ability to manage traffic flows effectively.
• If you require more control, deploying a Self-Hosted Integration Runtime (SHIR) on-premises or within a private cloud network can be beneficial. This setup allows you to manage data flows and connectivity more effectively, especially for on-premises data sources.

Networking Considerations:

• Utilize private endpoints for secure access to your Purview account. This ensures that traffic between your data sources and Purview does not traverse the public internet, enhancing security.
• Implement Azure Private DNS Zones to manage name resolution for your private endpoints, ensuring seamless connectivity between your resources.

Documentation and Limitations:

• It’s understandable to find the documentation around Purview’s integration with Azure landing zones lacking. Microsoft is continuously updating its resources, so providing feedback through official channels can help improve clarity and detail in future documentation.
• Be aware of the limitations of Managed VNet, particularly regarding visibility and control. This is a common concern, and many organizations opt for SHIR to mitigate these issues.

Best Practices

• Centralized Governance: Use a single Purview account for all data governance activities across your organization to maintain a unified data map.
• Role-Based Access Control (RBAC): Implement RBAC to manage permissions effectively, ensuring that only authorized users can access sensitive data.
• Regular Reviews: Periodically review your deployment strategy and network configurations to adapt to any changes in your organizational needs or Azure updates.

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.