![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 46%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,436 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Hi @Vishesh Agarwal
To ensure seamless communication, verify that all private endpoints (for Key Vault, SQL, Storage, and ADF) are deployed within the same Virtual Network (VNET) as the VM hosting the SHIR. For example, if the VM resides in a subnet like 10.0.1.0/24, check the Azure portal or use Azure CLI/PowerShell to confirm that each private endpoint is assigned to a subnet within the same VNET
Create private endpoints for ADF, Azure SQL Database, Storage Account, and Key Vault within your virtual network. This ensures that traffic between these services remains within the Azure backbone network. For each private endpoint, ensure that a corresponding private DNS zone is created and linked to your virtual network. This allows for proper DNS resolution to the private IP addresses of the services.
Network Security Groups (NSGs) must permit outbound traffic from the VM’s subnet (e.g., 10.0.1.0/24) to the private endpoint IPs (e.g., 10.0.1.0/24). Please notes that NSGs applied to subnets hosting private endpoints or clients must allow traffic on specific ports: 443 for Key Vault, 1433 for SQL, and 443/445 for Storage. In the Azure portal, under the NSG’s "Outbound security rules," add an "Allow" rule with source 10.0.1.0/24, destination 10.0.1.0/24, and ports 443, 1433, etc., as needed.
With a corporate firewall in place, it may block traffic to private IPs or ADF endpoints. We advise that clients (like the SHIR VM) behind firewalls must allow outbound traffic to private endpoint IPs and ADF’s control plane (e.g., *.datafactory.azure.net) on port 443. Access your firewall logs to identify denied traffic from the VM’s IP (e.g., 10.0.1.10) to private IPs (e.g., 10.0.1.5) or ADF endpoints.
Please refer this Microsoft documentation for reference
https://learn.microsoft.com/en-us/azure/data-factory/data-factory-private-link
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Thank you.