Security concerns when linking Dataverse to Azure Synapse

Thijs van Haren 0 Reputation points
2023-01-11T10:12:55.5433333+00:00

Hi all,

When linking Dataverse to Azure Synapse I noticed that it is required to have public network access enabled for the Synapse Workspace. The company I work for has a policy where we are required to use IP whitelisting for services.

It is unclear to me on how to access the storage account when enabling public network access to the workspace. Am I only able to access it via Azure AD? Or is there any other way to connect to/get the data of the storage account?

Can someone inform me on the security information when accessing the storage account for my workspace when linking dataverse to azure Synapse? Thanks in advance!

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,342 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,369 questions
Azure Data Lake Analytics
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. BhargavaGunnam-MSFT 26,136 Reputation points Microsoft Employee
    2023-01-14T03:54:46.77+00:00

    Hello @Thijs van Haren ,
    Yes, it is required to have public network access to link dataverse to Azure Synapse. Also, the storage account must enable Hierarchical namespace. The Synapse workspace must be in the same region as your Azure Data Lake Storage Gen2 account with public network access enabled.

    Once you link the dataverse to the synapse, then data is available in the synapse via the new lake database.

    This data can query via synapse SQL or synapse spark. This data can be directly accessed from the lake(no data is kept in the synapse)

    when you mention, "how to access the storage account when enabling public network access to the workspace", are you talking about a data lake account in general? If yes, apart from the AAD, you can use the Azure private link or Vnet endpoints to access the data lake account.

    Regarding your security concerns:
    Currently, you can't provide public IPs for the Azure Synapse Link for Dataverse service that can be used in Azure Data Lake firewall settings. Public IP network rules have no effect on requests originating from the same Azure region as the storage account. Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range.

    I hope this helps. Please let me know if you have any further questions.

    Reference document: [https://learn.microsoft.com/en-us/power-apps/maker/data-platform/azure-synapse-link-synapse