Managed private endpoints in Microsoft Graph Data Connect
This article describes how to enable Azure V-net Integration Runtime (IR) to manage private endpoints in Microsoft Graph Data Connect (Data Connect). We recommend that customers use Azure Synapse workspaces to enable Azure V-net IR in mapping data flow. Azure Data Factory (Data Factory) is compatible with Azure V-net IR.
With Azure V-Net IR, customers no longer need to add public IP addresses to an allow list, and customers can close their destination storage accounts to the public network to set up their data extraction over a private virtual network. This helps to ensure that data extraction from Data Connect to the customer's storage account is more secure.
Managed private endpoints are only supported in Mapping Data Flows (MDF) within your Azure Synapse or Azure Data Factory (ADF) workspaces. Existing Azure Synapse or ADF workspaces with copy activity require you to allow list IP addresses to enable access through select protected networks.
Enable Azure V-net IR for Azure Synapse
Use the following steps to enable Azure V-net Integration Runtime (IR) to manage private endpoints within MDF in Data Connect:
Create a Synapse (or ADF) workspace, and then sign in to the Azure portal to configure an existing storage account. Our example below demonstrates this capability in Synapse.
On the Networking tab, next to Managed virtual network, select Enable.
Open the Synapse workspace. Go to Manage > Managed private endpoints.
If you added a storage option when creating your Synapse workspace, the managed private endpoint connection to storage is already created in a Pending approval state.
If you're using existing storage, create a managed private endpoint. Select New, choose the storage type, then choose Continue.
Provide the connection name and description, specify the storage account, then choose Create.
Note the initial state will be provisioning of a private IP address from within the Managed Virtual Network.
After the endpoint is successfully provisioned, the approval state is Pending. Continue to Step 4, and use the created name rather than the name generated in step 3.
- Approve the managed private endpoint from the storage account.
Go to Storage account > Networking > Private endpoint connections to view the private endpoint request in a pending state.
Select the connection, then choose Approve.
Provide a description when prompted, and verify that the connection state has changed to Approved.
In the storage account Networking blade, go to Firewalls and virtual networks. Under Public network access, select Enabled from selected virtual networks and IP addresses, and configure the network firewall according to your preference. Uncheck Allow Azure services on the trusted services list to access this storage account.
Return to the previous Synapse workspace, and wait for the managed private endpoint to switch to Approved.
The managed private endpoint shows as successfully created and linked to the desired storage account from Synapse Analytics.
Verify the available integration runtime is configured to Managed Virtual Network (configured by default).
After these steps, v-net IR in MDF should be enabled within your Synapse (or ADF) workspace. Please reach out to the Data Connect team for any questions!