Azure Snapse Workspace Integration Runtime over Private Endpoint to On-Prem?

Seth Coleman 26 Reputation points

I have an On-Prem server running an integration runtime (in order to access an ODBC driver for our ERP system). That is working fine as is.

I would like to have this integration runtime traffic go over a site to site (RG to On-Prem) VPN we've created for the resource group.

Is there a way to configure the workspace or the integration runtime itself in order to force the traffic over that VPN?

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,553 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. BhargavaGunnam-MSFT 28,111 Reputation points Microsoft Employee

    Hello @Seth Coleman ,

    Welcome to the MS Q&A platform.

    You can use Azure Private Link to connect to your Azure synapse workspace.

    Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can also create your own Private Link Service in your virtual network and deliver it privately to your customers.

    A private endpoint is a private IP address within a specific virtual network and subnet. This allows us to access the self-hosted Integration Runtime in our Azure VNets by using a private endpoint without a virtual network gateway

    Enabling a Private Link for each of the preceding communication channels offers the following functionality:

    You can author and monitor synapse from your virtual network, even if you block all outbound communications. If you create a private endpoint for the portal, others can still access synapse through the public network.
    The command communications between the self-hosted IR and synapse can be performed securely in a private network environment. The traffic between the self-hosted IR and synapse goes through Private Link.

    Reference document:


    I hope this helps. Please let me know if you have any further questions.


    • Please don't forget to click on 130616-image.png and upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators