Edit

Create a private or service endpoint to event hub and Azure Storage

  • Article

Important

Consider moving to an Azure Private Endpoint based solution for implementing network security with Azure Data Explorer. It is less error-prone and provides feature parity.

Azure Virtual Network (VNet) enables many types of Azure resources to securely communicate with each other. Azure Private Link enables you to access Azure Services and Azure hosted customer-owned/partner services over a Private Endpoint in your virtual network. A Private Endpoint uses an IP address from your virtual network’s address space for the Azure service to securely connect between Azure Data Explorer and Azure services such as Azure Storage and event hub. Azure Data Explorer accesses the Private Endpoint of the storage accounts or event hubs over the Microsoft backbone, and all communication, for example, data export, external tables, and data ingestion, takes place over the private IP address.

In contrast to a Private Endpoint, a service endpoint remains a publicly routable IP address. A Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.

This article shows you how to create a connection between Azure Data Explorer and event hub or Azure Storage.

Prerequisites

Private Endpoint

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network.

Allow access to Azure Storage Account from Azure Data Explorer Subnets using a Private Endpoint

For a tutorial on how to create a Private Endpoint in your Azure Storage account, see Tutorial: Connect to a storage account using an Azure Private Endpoint.

Within this tutorial, select the virtual network where the Azure Data Explorer subnet exists, and the Azure Data Explorer subnet.

Service Endpoint

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks.

Allow access to Azure Storage account from Azure Data Explorer subnets using a service endpoint

This section shows you how to use Azure portal to add a virtual network service endpoint. To limit access, integrate the virtual network service endpoint for this Azure Storage account.

Add a virtual network

  1. Navigate to the storage account you want to secure.

  2. In the left-hand menu, select Firewalls and virtual networks.

  3. Enable access from Selected networks.

  4. Under Virtual Networks, select + Add existing virtual network.

    Add existing virtual network connection Azure Storage to Azure Data Explorer.

Add networks pane

Add virtual network to Azure Storage Account to connect to Azure Data Explorer.

  1. In the right-hand Add networks pane, select your Azure subscription.

  2. Select the virtual network from the list of virtual networks, and then pick the subnet.

    Note

    Enable the service endpoint before adding the virtual network to the list. If the service endpoint is not enabled, the portal will prompt you to enable it.

  3. Select Add.

Save and verify virtual network settings

  1. Select Save on the toolbar to save the settings.

    Vnet to connect storage account to Azure Data Explorer.

    Wait for a few minutes for confirmation to appear on the portal notifications.

Related content