The error indicates that the on-premises runtime (network type OnPremise, IP shown as a link-local IPv6 address) cannot reach the target resource “pandey” over the network, or that the target is rejecting access.
Based on similar “access denied” and network-plane issues in the context, the following checks and fixes apply:
- Verify basic network connectivity from the self-hosted integration runtime (SHIR) machine to the target:
- From the SHIR server, ping or
nslookup the hostname pandey.
- If DNS does not resolve, add or correct the DNS entry (on-prem DNS or hosts file) so that
pandey resolves to the correct IPv4/IPv6 address.
- Ensure the SHIR is not using only a link-local IPv6 (like
fe80::...) path that cannot route to the target.
- Check firewalls, ACLs, and routing between SHIR and
pandey:
- Confirm that required ports for the target system are open (for example, 1433 for SQL Server, 445 for SMB, etc., depending on what “pandey” is).
- Ensure no network ACLs or perimeter firewalls are blocking the SHIR subnet from reaching
pandey.
- If Private Link or managed private endpoints are used, validate routing and DNS so traffic goes over the correct private path, not the public internet.
- Validate access control on the target resource:
- Confirm that the account used by the Data Factory linked service has permission to access
pandey (for example, SQL login, Windows/AD account, or service account).
- Check for policies like “Deny access from network” or “Deny access to this computer from the network” that might block the account, similar to the “user account is not allowed the Network Login type” scenario.
- If using Private Link / private endpoints to reach Azure resources from on-prem:
- Verify that the private endpoint connection is approved and in a
Succeeded state.
- Confirm DNS for the Azure resource resolves to the private endpoint IP, not a public IP.
- Use tools like
nslookup or Test-NetConnection from the SHIR machine to confirm the path.
- If the error is coming from an Azure PaaS resource (for example, Key Vault, Storage, App Configuration):
- Check that public network access and firewall rules allow the SHIR’s public IP or that a private endpoint is configured and reachable.
- For “IP address rejected” / 403 scenarios, ensure the request originates from within the allowed virtual network or via the configured private endpoint and that DNS points to the private IP.
- Re-test from the SHIR host:
- After fixing DNS, firewall, and permissions, re-run the Data Factory pipeline or linked service test connection.
- If it still fails, capture the exact error message and HTTP status (for PaaS targets) or OS-level error (for on-prem targets) to narrow whether it is network, authentication, or authorization.
These steps align with how similar “access denied” and network-plane errors are resolved for other Azure services when using private endpoints or restricted network access.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 89%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 24%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
