Azure Data Factory - Key Vault necessary with AzureIR Managed VNet?

Chris Crichton-RA 1 Reputation point

TLDR - If all elements of ADF Pipelines are being sent through Azure IR Managed Private VNet, would my API Keys be exposed if passed through directly instead of using the Key Vault?

The reason I ask is that I would like to parameterize my Linked Services so that I can use 1 linked service for multiple API Keys.

I currently use the Key Vault given its ease of use, however it does not seem there is a way to parameterize the Key Vault Names. (It is listed below it but does not allow expressions)


Thank You

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
7,127 questions
{count} votes

1 answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA-MSFT 59,141 Reputation points Microsoft Employee

    Hello @Chris Crichton-RA ,

    Thanks for the question and using MS Q&A paltform.

    The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.

    When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.

    Creating an integration runtime within a managed virtual network ensures the data integration process is isolated and secure.

    Benefits of using a managed virtual network:

    • With a managed virtual network, you can offload the burden of managing the virtual network to Data Factory. You don't need to create a subnet for an integration runtime that could eventually use many private IPs from your virtual network and would require prior network infrastructure planning.
    • Deep Azure networking knowledge isn't required to do data integrations securely. Instead, getting started with secure ETL is much simpler for data engineers.
    • A managed virtual network along with managed private endpoints protects against data exfiltration.

    Unfotunately, you cannot parameterize Key Vault Linked Service.

    Note: It is allowed at Key Vault Secret Name level as shown below


    Appreciate if you could share the feedback on our feedback channel. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

    Hope this will help. Please let us know if any further queries.


    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is jhow you can be part of Q&A Volunteer Moderators
    1 person found this answer helpful.
    0 comments No comments