This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 82%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
We have deployed a synapse instance with a managed vnet,
We also have deployed a palo alto azure fw appliance that we want to inspect all traffic with.
i understand I can use Private endpoints when communicating with synapse from other vnets and we have routed all traffic that is initialized from other sources, VM's, SQL etc. to that private endpoint through the palo alto.
I'm wondering if we can route traffic initialized from Synapse to that palo alto as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Welcome to Microsoft Q&A platform and thanks for posting your query here.
You're on the right track with using Private Endpoints for inbound traffic to Synapse. However, routing outbound traffic from the Synapse managed VNet through your Palo Alto firewall requires a different approach since you can't directly manipulate the default route table of a managed VNet.
To achieve this, you need to configure custom routes in your route table to direct the traffic through the Network Virtual Appliance (NVA).
Here the steps:
0.0.0.0/0 (or a specific address range if you prefer) and the next hop type to Virtual Appliance. Enter the IP address of your Palo Alto firewall as the next hop.By setting up these custom routes, you can ensure that all traffic from your Synapse instance is inspected by the Palo Alto firewall
please refer :https://learn.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva
https://www.willvelida.com/posts/vnet-traffic-routing/
I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
This is what I thought I was going to have to do, but didn't want to stand up a lab for all this to test. Question tho. This all needs to be private IP addressing (we don't want to use the public IP of synapse for anything), since I can't see and won't know the managed private subnet for synapse (or will I?),
Thanks for your Information
Great questions! Let's break this down:
Private IP Addressing: When using a Synapse managed VNet, the managed private subnet is not directly visible to you. However, you can still route traffic through your Palo Alto firewall using private IP addresses. The managed VNet will handle the private IP addressing internally.
Routing to the 1918 Subnet: Yes, the Synapse managed VNet can route to the 1918 subnet (private IP range) that you assign to the trusted interface of the Palo Alto firewall. You will need to set up User-Defined Routes (UDRs) to ensure that traffic from the Synapse managed VNet is directed to the Palo Alto firewall.
Layer 3 Rules on Palo Alto: To create Layer 3 rules on the Palo Alto firewall, you will need to know the IP ranges used by the Synapse managed VNet. While you won't see the exact managed private subnet, you can configure your firewall rules based on the IP ranges used by the Synapse workspace. Typically, these ranges are part of the private IP address space (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Here's a general approach:
For more detailed guidance, please refer to the following resources:
ok, I set up a lab for this, created my synapse workspace. The only network mentioned is under security and does not list the vnet or subnet that was created by the managed vnet.
under settings, only entra-id, properties (no mention of a network there either), and lock appear.
under security, networking is there but only setting for the public network access and inbound FW rules are there. No vnet or subnet information.
More-over, i created a UDR and tried to attach it to the synapse network but the only vnet/subnet in the dropdown was the vnet i created as a private endpoint space
i'm not sure where you got the information you list, but the synapse workspace does not have the information you state it should. perhaps a powershell workaround?
Here is a potential workaround using PowerShell to help you achieve your goal.
PowerShell Workaround:
Install-Module -Name Az.Synapse -AllowClobber -Force
Connect-AzAccount
$workspace = Get-AzSynapseWorkspace -ResourceGroupName "YourResourceGroupName" -Name "YourWorkspaceName"
$managedVNet = Get-AzSynapseManagedVirtualNetwork -ResourceGroupName "YourResourceGroupName" -WorkspaceName "YourWorkspaceName"
# Create a route table
$routeTable = New-AzRouteTable -ResourceGroupName "YourResourceGroupName" -Location "YourLocation" -Name "YourRouteTableName"
# Add a route to the route table
Add-AzRouteConfig -Name "RouteToFirewall" -AddressPrefix "0.0.0.0/0" -NextHopType "VirtualAppliance" -NextHopIpAddress "PaloAltoFirewallIP" -RouteTable $routeTable
# Associate the route table with the managed VNet subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $managedVNet -Name "ManagedSubnetName" -AddressPrefix "SubnetAddressPrefix" -RouteTable $routeTable
Get-AzSynapseManagedVirtualNetwork is no longer a valid command.. I can get the workspace info fine, but that command comes back bad. if I google the command, i get no results, it's not even in the cli list of synapse powershell commands.
https://learn.microsoft.com/en-us/cli/azure/synapse?view=azure-cli-latest
please consider this alternative approach
Install Azure CLI: If you haven't already installed the Azure CLI, you can download and install it from here.
Log in to Azure:
az login
Retrieve Synapse Workspace Information:
az synapse workspace show --name YourWorkspaceName --resource-group YourResourceGroupName
List Private Endpoints:
az network private-endpoint list --resource-group YourResourceGroupName
Create and Associate UDR: You can create a route table and add a custom route to direct traffic through your Palo Alto firewall. Then, associate this route table with the subnet where your Synapse workspace is deployed.
# Create a route table
az network route-table create --resource-group YourResourceGroupName --name YourRouteTableName --location YourLocation
# Add a route to the route table
az network route-table route create --resource-group YourResourceGroupName --route-table-name YourRouteTableName --name RouteToFirewall --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address PaloAltoFirewallIP
# Associate the route table with the subnet
az network vnet subnet update --resource-group YourResourceGroupName --vnet-name YourVNetName --name YourSubnetName --route-table YourRouteTableName
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 2%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
While I appreciate the suggestion, this does not work. The subnet name in the workspace is default and does not list the vnet name at all.
"location": "eastus2",
"managedResourceGroupName": "synapseworkspace-managedrg-2373ad99",
"managedVirtualNetwork": "default",
"managedVirtualNetworkSettings": {
"allowedAadTenantIdsForLinking": [],
"linkedAccessCheckOnTargetResource": null,
"preventDataExfiltration": true
@Shawn Schiebrel I understand your situation. The managed VNet for Azure Synapse can indeed be tricky to work with since it doesn't expose the VNet and subnet details directly.
Given the constraints, here are a few alternative approaches you might consider:
While the managed VNet doesn't expose its details, you can still use private endpoints to route traffic through your firewall. This involves setting up private endpoints for the resources Synapse needs to communicate with and ensuring those endpoints are routed through your Palo Alto firewall.
Consider using an Azure Firewall or another NVA in conjunction with your Palo Alto firewall. You can set up a hub-and-spoke network topology where the Synapse managed VNet is a spoke, and the hub contains the Azure Firewall or NVA. This setup allows you to route traffic through the firewall without needing direct access to the managed VNet's subnet details.
Use Azure Private Link and custom DNS settings to ensure that traffic from Synapse to other Azure services is routed through your firewall. This involves configuring private DNS zones and linking them to your VNet.
Example Configuration with Private Endpoints:
Example Configuration with Hub-and-Spoke:
@Shawn Schiebrel I understand your situation, The managed VNet for Azure Synapse can indeed be tricky to work with since it doesn't expose the VNet and subnet details directly.
Given the constraints, here are a few alternative approaches
While the managed VNet doesn't expose its details, you can still use private endpoints to route traffic through your firewall. This involves setting up private endpoints for the resources Synapse needs to communicate with and ensuring those endpoints are routed through your Palo Alto firewall.
Consider using an Azure Firewall or another NVA in conjunction with your Palo Alto firewall. You can set up a hub-and-spoke network topology where the Synapse managed VNet is a spoke, and the hub contains the Azure Firewall or NVA. This setup allows you to route traffic through the firewall without needing direct access to the managed VNet's subnet details.
Use Azure Private Link and custom DNS settings to ensure that traffic from Synapse to other Azure services is routed through your firewall. This involves configuring private DNS zones and linking them to your VNet.
Example Configuration with Private Endpoints:
Example Configuration with Hub-and-Spoke:
Have you actually done this or are you just assuming this is how it's done. you cannot use UDR's with a synapse managed vnet in any way that i've found. You are unable to assign the UDR to the managed vnet subnet since it does not appear in the drop down list of available subnets. The palo alto IS an NVA.
I apologize The managed VNet for Azure Synapse can indeed be challenging to work with due to its limitations and lack of visibility
please consider this approach
Use a hub-and-spoke network topology where the Synapse managed VNet is a spoke, and the hub contains your Palo Alto NVA. This setup allows you to route traffic through the firewall without needing direct access to the managed VNet's subnet details.
Steps for Hub-and-Spoke Configuration: