Azure Data Factory Copy Activity Fails – Azure IR Pre-login Handshake Timeout Across Regions

Question

Azure Data Factory Copy Activity Fails – Azure IR Pre-login Handshake Timeout Across Regions

Gerrit Van Even 0

Due to ill-supported support from within Azure, I try getting answers along this way:

We are encountering persistent failures in Azure Data Factory copy activities when writing to Azure SQL Database using the Azure Integration Runtime (both AutoResolve and dedicated).

The failure consistently occurs during the pre-login handshake phase. This happens despite correct configuration and full firewall access.

Error message: ErrorCode=SqlFailedToConnect Type=Microsoft.Data.SqlClient.SqlException Message=Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. Duration: [Pre-Login] initialization=74; handshake=14936; Type=System.ComponentModel.Win32Exception Message=The wait operation timed out

What we have verified:

SQL Server firewall allows all traffic (0.0.0.0 – 255.255.255.255)

Credentials are correct

Linked service test connections succeed

SSMS connections work from a non-corporate (home) network

Synapse pipelines in the same resource group and region can successfully write to the same SQL databases

The issue persists across:

Multiple Azure SQL Servers (in West Europe and UK West)

  Multiple Azure SQL Databases
  
     AutoResolveIntegrationRuntime and dedicated Azure IRs
     
        Dev and Prod Data Factory environments

All copy activities fail during the pre-login handshake when using Azure IR. However, pipelines in Azure Synapse can write to the same Azure SQL Databases without issue.

This suggests a platform-level networking or TLS issue inside Azure Data Factory’s integration runtime infrastructure, affecting connectivity to Azure SQL Database.

Request: Please escalate this to the Azure Data Factory engineering team. We suspect a backend connectivity issue between Azure IR and the SQL Database gateway(s), potentially due to routing or TLS handshake failures.

We are available to provide logs, pipeline activity run IDs, or perform additional tests if needed.

Thank you.

1 answer

Your answer

Answer 1

J N S S Kasyap 3,625 Microsoft External Staff Moderator

Hi @Gerrit Van Even
You're facing a frustrating issue with Azure Data Factory (ADF) copy activities failing during the pre-login handshake phase while connecting to Azure SQL Database, even though connections from Azure Synapse pipelines succeed under the same conditions. This does strongly point toward an internal issue with the Azure Integration Runtime (IR) networking or TLS negotiation.

Here are some troubleshooting steps and considerations:

If you're using a VNet-Injected IR, double-check Network Security Groups (NSGs) and User-Defined Routes (UDRs). Ensure outbound access on port 1433 is open for Azure SQL and that Azure service tags like Sql, AzureCloud, and Storage are properly allowed.

Ensure your Azure IR is up-to-date. Though the default IR is managed by Microsoft, any custom IR should be regularly updated to avoid connectivity bugs.

Confirm that the SQL Database enforces a compatible TLS version (1.2 or above). ADF uses modern TLS standards, but any policy mismatches could cause pre-login handshake failures.

Use built-in retry policies in the ADF Copy activity to mitigate transient issues. However, if the issue persistent pre-login failures often indicate deeper infra problems.

I hope this helps! Let me know if you have any other questions or need further assistance.

Gerrit Van Even 0 Reputation points

2025-06-23T09:17:26.5333333+00:00
Thank you for your detailed response.

We’ve already gone through all the suggested checks and can confirm the following:

We are not using a VNet-injected IR. All tests were performed using either the AutoResolveIntegrationRuntime or dedicated Azure IRs, none of which are VNet-bound. Therefore, NSGs and UDRs do not apply in our scenario.

The IRs used are fully managed by Microsoft or freshly created dedicated IRs. There are no custom or legacy runtimes in use that would require manual updates.

The Azure SQL Databases we are targeting are newly created, use the default TLS 1.2+ policies enforced by Azure, and work successfully when accessed through:

SSMS (from a home/private network)

Synapse pipelines (in the same resource group and region as the affected ADF) This confirms TLS compatibility and connectivity from other Azure services. The failure is **not transient**. Retry logic does not help, as the copy activity **fails 100% of the time** with a consistent pre-login handshake timeout, regardless of: Region (West Europe, UK West) SQL Server (several tested) Azure IR type (AutoResolve or dedicated) Data Factory instance (Dev, Prod, new factory) Firewall rules (fully open)

Given all this, the issue still appears to point to a platform-level connectivity problem within Azure Data Factory’s Azure IR infrastructure, likely related to routing or TLS handshake failures between Azure IR and the SQL Database gateway.

Please advise on next steps or escalation.
J N S S Kasyap 3,625 Reputation points Microsoft External Staff Moderator

2025-06-25T12:59:09.8066667+00:00

@Gerrit Van Even
This issue appears isolated to Azure Data Factory using Azure IR. The pre-login handshake consistently fails, while the same connections succeed via Synapse pipelines.

This strongly suggests a platform-level networking or TLS handshake issue inside Azure Data Factory’s IR infrastructure, possibly in the route to Azure SQL Database gateways.
Thanks for bringing this to our attention. I’ll check with the internal team regarding this issue and get back to you with more clarity as soon as possible. Appreciate your patience in the meantime.

Share via

Azure Data Factory Copy Activity Fails – Azure IR Pre-login Handshake Timeout Across Regions

1 answer

Your answer