This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 97%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi team, I’m trying to create a managed private endpoint between our Synapse workspace and the De-identification service. However, I don’t see an Azure Health/De-identification resource option in Synapse’s managed private endpoints list. For security reasons, we must keep public access to the De-identification resource turned off. Because of this, we’re getting the error: “message”: “Access Denied: Private Link validation failed.” Could you please advise how to set this up using Private Link? Also, is there any official documentation we can share to confirm whether enabling public access on the De-identification resource is considered safe?
An Azure offering that provides a suite of purpose-built technologies for protected health information in the cloud.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hello **Srikanth Ravipati
**It looks like Synapse’s built-in managed private endpoints list doesn’t currently include the Azure Health Data Services de-identification service, so you’ll need to set up a “standard” Private Endpoint for your de-identification resource and surface it to your Synapse virtual network. Here’s how you can do it:
Create a Private Endpoint on the De-identification service • In the Azure portal, navigate to your De-identification service → Networking → + Private endpoint. • Choose the same VNet (or Managed VNet) and subnet that your Synapse workspace (or your integration runtime) uses. • Finish provisioning.
Approve the connection • Still under your De-identification service → Networking → Private endpoint connections, you’ll see a “Pending” request. • Select it, click Approve, and confirm. The provisioning state should move to Approved.
Hook up DNS • When you created the endpoint you can integrate with a private DNS zone. Make sure you have a zone for: privatelink.azurehealthcareapis.com • Link that zone to your VNet so that <your-service>.privatelink.azurehealthcareapis.com resolves to the private IP.
Point Synapse at the private FQDN • In your Synapse Linked Service or notebook, use the private URL (e.g. https://.privatelink.azurehealthcareapis.com) instead of the public endpoint. • If you’re on a Managed VNet, ensure your Integration Runtime is in that VNet so that traffic flows through the Private Endpoint.
Once that’s done, public access on the De-identification service can remain Disabled (you’ll call it entirely over the Microsoft backbone via your Private Endpoint).
https://learn.microsoft.com/en-us/azure/healthcare-apis/deidentification/overview
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 77%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hello **Srikanth Ravipati,We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hi Praveen, no resolution yet, was going through synapse managed private endpoint resource called Private Link Service. checking is there any possibility we can establish a link between synapse and De-id using that Private Link.
Hello **Srikanth Ravipati,
Azure Health Data Services – De‑identification service does not support integration with Azure Synapse Managed Private Endpoints. Because of this limitation, the De‑identification resource does not appear in Synapse’s managed private endpoint resource list, and Synapse cannot establish a managed private endpoint to the service.
The Private Link Service option in Synapse cannot be used as a workaround in this scenario. Private Link Service is intended for customer‑owned, load balancer–backed services and cannot be used to front or proxy Microsoft‑managed PaaS services such as the De‑identification service.
As a result, when public network access is disabled on the De‑identification resource, requests coming directly from Synapse will fail with “Access Denied: Private Link validation failed”, since Synapse has no supported private link surface to bind to.
For reference, the official documentation confirms Private Endpoint support for the De‑identification service in general, but does not indicate support for Synapse Managed Private Endpoints:
Hello **Srikanth Ravipati,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
I think the de‑id svc just has no private‑link surface… so synapse simply has nothing to bind to. u can only turn public access on and call it directly; if it still fails, just check for any deny rules in the network blade.