Managing private endpoints with "portal" subresource and multiple Data Factory deployments.

Question

Hi everyone,

We have several data factories across many subscriptions (data sensitivity isolation, different environments, etc ...).
Basically, if a managed service is compatible with the Private Link Service, we use it as our Azure environment is completely private.

The particular thing with Data Factory, is that we have to create endpoints for the following subresource names :

• portal
• datafactory.

Regarding DNS configuration :
For "datafactory", no problem, the name of the associated record is unique.
For "portal", however, we find ourselves sharing a record "portal.privatelink.adf.azure.com" with one of the private endpoint IP's from one of the environements.

The problem is, when we delete a private endpoint, the dnsZoneGroup triggers the deletion of the A record though there's other data factory environments needing this record.

To stop PE creation/deletion from interfering with the record, i was thinking about creating a "shared" private endpoint in order to reach adf.azure.com via Private Endpoint/PLS.

The problem is, that i still need a resource behind the private endpoint, and that would be one of the data factory environements deployed, but this environment could also be deleted, so the problem persists.

Anybody faced that hiccup ?

Answer 1

Hello @MartinJaffer-MSFT !
Are there any news on this issue-fix ?
Today i fell over this (in my opionion) still remaining problem whilst deleting a private-endpoint of a non-prod-adf-instance.
Absolutely all adf-instances in our tenant couldn't be accessed after the deletion due to the fact, that
the dns-entry "portal.privatelink.adf.azure.com" gets automatically deleted by the azure-ressource-manager on deletion of any of our adf-private-endpoints though other adf-instances still exist and need this entry.
FunFact: The dns-entry in this case doesnt event point to the ip of the adf-pep being deleted and it pointed to another adf-pep still needed.
To make it short: To me this problem is still existing.

I would be really happy if you could give an update on this!
Kind regards !

Answer 2

I heard back from the product group.

This is a known issue, and there is a fix planned. However I am not at liberty to say when the fix will be rolled out, other than it is not soon.

Answer 3

Hello guys,
Thanks @MartinJaffer-MSFT .

Im considering a second option : delete the private endpoint and related dns forwarding for the zone privatelink.adf.azure.com , so this portal access would go via Internet,

https://learn.microsoft.com/en-us/azure/data-factory/data-factory-private-link#secure-communication-between-customer-networks-and-data-factory

adf.azure.com 443 The Data Factory portal is required by Data Factory authoring and monitoring.

Not sure i fully understand what Authoring means.

Can we safely state that this adf.azure.com only serves portal access to the data factory workspace via a brozser user session and only for that purpose ?

Answer 4

We're running into strange issues with ADF portal private endpoints as well, to the point where we are considering removing them.

We have seen an issue recently where , when there are multiple ADF with their own ADF Portal private endpoint , one works and the other does not even though the private DNS zone content and networking rules are all confirmed to be correct. Not sure what's going on there, it's perplexing...