Azure synapse studio private endpoint configuration

Mohammed Thahif BK 341

Hello,

We have multiple synapse workspaces, one for each environment (prod, preprod,dev and test). We have created pvt dns zones on Azure one for each sub resources.

privatelink.azuresynapse.net - pvt link hubs
privatelink.sql.azuresynapse.net - sql/sqlondemand
privatelink.dev.azuresynapse.net - dev

However, the fqdn for azure pvt link hub remains same for all the 4 workspaces and I don't think we can add multiple IP addresses to the same A record.

can someone help us, what's the best practices when we have multiple workspaces? how to handle DNS resolution for synapse studio?

Regards
Thahif

KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2022-08-29T05:33:41.48+00:00
Hi @Mohammed Thahif BK ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to understand the best-practises with Azure Synapse workspace with Private Link.

I see you have four environments. (prod, preprod, dev and test)

I take it that you are using a specific set of DNS Private Zones for each Environment.

Now,

You can use the same Zone across environments if all the environments have an identical network architecture. i.e, same IP mapped to same resource

However, incase the network architecture should be different, you will be required to create DNS Zones per environment only.

Please do let us know if my understanding is incorrect or you need more information.

Cheers,
Kapil

Accepted answer

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-08-28T14:34:55.473+00:00

Hi @Mohammed Thahif BK

For Synapse private link hub, create single private endpoint in your hub Vnet that is peered with spoke Synapse Vnets. Private link hubs are intended for loading the static content of Synapse Studio over private links and will connect to respective Synapse resources like SQL/serverless SQL private endpoints.
So, there should be a single private dns zone (privatelink .azuresynapse.net)in hub Vnet for private link hub.
Please sign in to rate this answer.
Mohammed Thahif BK 341 Reputation points

2022-08-30T12:45:53.63+00:00

@Vidya Narasimhan - what if we have 4 synapse workspace , do I need to create 4 different pvt link hubs or only 1 in the hub?
if its only 1 in the hub, how pvt endpoints for other synapse studio is going to work?

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-08-30T13:24:24.77+00:00

You just need 1 private link hub in the Hub Vnet. All the Synapse Vnets need to be peered with this Vnet. The central private link hub will load the static studio site and connect to the respective Synapse workspace private endpoints.

Mohammed Thahif BK 341 Reputation points

2022-08-30T14:02:20.173+00:00

ok thanks @Vidya Narasimhan . I guess we need to create 4 pvt link hubs? one for each workspace?

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-08-30T15:18:32.057+00:00

No. Azure Synapse Private link hub will be single resource across all Synapse workspaces in a tenant

Mohammed Thahif BK 341 Reputation points

2022-08-31T09:12:01.45+00:00

ok thanks @Vidya Narasimhan , we can try that. However, I am not sure, when we integrate this one with pvt DNS zone what will be its A records? is it going to have same A record with multiple IP addresses? if not, how?

Regards
Thahif

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-09-01T16:29:10.66+00:00

@Mohammed Thahif BK , please go through this link https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-private-link-hubs#azure-private-links-hubs-and-azure-synapse-studio .
As mentioned in the link, you can use a single Azure Synapse private link hub resource to privately connect to all your Azure Synapse Analytics workspaces using Azure Synapse Studio.
The private dns zone and private endpoint of Synapse private link hub can be created in hub vnet. It will contain A record pointing to the private link hub endpoint that is used to load Static website of Synapse Studio. The Synapse Studio in turn connects to the respective Synapse workspace(SQL, on demand SQL, dev ) private endpoints created in the spoke vnets. While the Synapse workspace private endpoints(SQL, on demand SQL, dev ) are created in spoke vnets, their private dns zone can be created centrally in hub vnet and will have multiple A records mapping to different workspaces.

Mohammed Thahif BK 341 Reputation points

2022-09-02T10:19:33.57+00:00

The problem is the last statement.pvtlink DNS zone can have multiple A records per workspace.
The FQDN for pvt linkhub is same for all the 4 synapse workspace i.e web.azuresynapse.net

How can it have 4 different IP address assigned to the same FQDN ?

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-09-02T10:36:18.7+00:00

Privatelinkhub will not have 4 A records unlike other Synapse private endpoints. It will have IP address of single private endpoint created in hub Vnet.

Mohammed Thahif BK 341 Reputation points

2022-09-07T09:31:35.757+00:00

@Vidya Narasimhan , its partially working. Now resolution from onprem servers are failing as Azure domain controller is not able forward to Azure wire IP address -168.63.129.16.

We have setup conditional fwders at onprem DC and server level forwarder to Azure wire ip. However Azure DC not forwarding to wireIP, getting below error in event log.

DNS server encountered a packet addressed to itself on IP address

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-09-07T15:38:43.2+00:00

Hi Mohammed,

The issue seems to be with your DNS forwarder configuration. Seems like you are setting up first time. This document provides common reason for the error you have specified. Please check https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-server-logs-event-7062

KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2022-09-09T13:36:43.64+00:00

Hi @Mohammed Thahif BK ,

Just checking in to see if this answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks,
Kapil

Mohammed Thahif BK 341 Reputation points

2022-09-16T05:30:36.257+00:00

@Vidya Narasimhan - thanks much for your help. We were able to make this work. Not sure what was the issue with our Azure domain controller fwding to Azure DNS, we setup a separate DNS fwder on Azure to talk to Azure DNS. that worked.

The only other problem we have is, though public access on all the workspaces are disabled, people from public network are able to view the workspace, view different tables and its contents. is that normal?
By making it private, shouldnt it just show anything? or is that how it is??

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-09-20T14:49:34.27+00:00

Sorry for the delay in reply. You can disable the public access to Synapse Studio through networking options.

Chamith Perera 0 Reputation points

2024-02-15T13:50:38.4366667+00:00

Hi @Vidya Narasimhan @Mohammed Thahif BK

Thanks for this thread and I found the article as well as the comments of my common interest. I am also having the challenge in accessing 4 different Azure Synapse Studio via a single Azure Synapse Private Link Hub created in the hub network.
The activities I have performed are as follows.

Created Azure Synapse Private Link Hub in Hub Subscription.

Crated pvt endpoint for Azure Synapse Private Link Hub and join with the private dns zone ( privatelink.azuresynapse.net ) in the hub subscription.

I have two Azure Synapse Studios created in two other subscriptions ( Dev & Prod ). The vNets in the ' Dev and Prod ' subscriptions are peered with Hub vNet.

I have created private endpoint for the Azure Synapse Studio in Dev subscription. In the wizard I pointed the synpase private link hub created in the Hub ( Shown below )

then link to the private DNS zone ( privatelink.azuresynapse.net ) in the hub subscription. As shown below

**Question ***** I have noticed the A record related to the Synapse Private Link Hub recorded which previously created in the 'privatelink.azuresynapse.net' got replaced with the Synapse Studio private endpoint created in the Dev environment. Is this the normal behaviour or am I doing something stupid here ?

Infact when you do the same steps to link synapse studio in the prod environment with synapse private link hub , you will notice the DNS record will again replace with Prod Synapse Private Endpoint.

Appreciate your clarification in this situation.

Many Thanks / CP
Sign in to comment

1 additional answer

msrini-MSFT 9,261 Reputation points Microsoft Employee

2022-08-25T14:55:27.86+00:00

Hi,

You will need to create separate Private DNS Zones of the below, in each of your environment.

privatelink.azuresynapse.net - pvt link hubs
privatelink.sql.azuresynapse.net - sql/sqlondemand
privatelink.dev.azuresynapse.net - dev

Then link your DNS Zones to the respective VNET environments.

Let me know if you have any issues.

Regards,
Karthik Srinivas
Please sign in to rate this answer.
Mohammed Thahif BK 341 Reputation points

2022-08-25T15:08:57.933+00:00

Hello @msrini-MSFT - Thanks for the reply.
We have a hub n spoke topology. Will it work if I maintain the dns zones for the sql/sqlondemand and dev in central hub subscription and link all the 4 spoke vnets to that?

And only for synapse studio using pvt link hubs , we will create dns zones in respective subscription and link it with hub and its own vnet.

will this work? I am only trying to reduce multiple DNS zones.

Regards
Thahif

msrini-MSFT 9,261 Reputation points Microsoft Employee

2022-08-26T04:23:18.243+00:00

This is one of such service where you will need multiple DNS Zones. If you have different A record created for each SQL and dev endpoint, then you can reuse the same Private DNS Zone. If not, you can create separate Private DNS Zone and link it to the respective VNETs.

Mohammed Thahif BK 341 Reputation points

2022-08-30T12:47:35.313+00:00

@msrini-MSFT - We have implemented as said above. we have conditional fwders from onprem, we have added server level fwder to wire IP. However from onprem and also on Azure not able to resolve web.azuresynapse.net

not able to figure out where is the issue.
Sign in to comment

Share via

Azure synapse studio private endpoint configuration

1 additional answer