Use private endpoints for your Microsoft Purview account

This article describes how to configure private endpoints for Microsoft Purview.

Conceptual Overview

You can use Azure private endpoints for your Microsoft Purview accounts to allow users on a virtual network (VNet) to securely access the catalog over a Private Link. A private endpoint uses an IP address from the VNet address space for your Microsoft Purview account. Network traffic between the clients on the VNet and the Microsoft Purview account traverses over the VNet and a private link on the Microsoft backbone network.

You can deploy Microsoft Purview account private endpoint, to allow only client calls to Microsoft Purview that originate from within the private network.

To connect to the Microsoft Purview governance portal using a private network connectivity, you can deploy portal private endpoint.

You can deploy ingestion private endpoints if you need to scan Azure IaaS and PaaS data sources inside Azure virtual networks and on-premises data sources through a private connection. This method ensures network isolation for your metadata flowing from the data sources to Microsoft Purview Data Map.

Screenshot that shows Microsoft Purview with Private Endpoints.


Before deploying private endpoints for Microsoft Purview account, ensure you meet the following prerequisites:

  1. An Azure account with an active subscription. Create an account for free.
  2. An existing Azure Virtual network. Deploy a new Azure virtual network if you do not have one.

Microsoft Purview private endpoint deployment scenarios

Use the following recommended checklist to perform deployment of Microsoft Purview account with private endpoints:

Scenario Objectives
Scenario 1 - Connect to your Microsoft Purview and scan data sources privately and securely You need to restrict access to your Microsoft Purview account only via a private endpoint, including access to the Microsoft Purview governance portal, Atlas APIs and scan data sources in on-premises and Azure (but inside a virtual network) using self-hosted integration runtime ensuring end to end network isolation. (Deploy account, portal and ingestion private endpoints.)
Scenario 2 - Connect privately and securely to your Microsoft Purview account You need to enable access to your Microsoft Purview account, including access to the Microsoft Purview governance portal and Atlas API through private endpoints. (Deploy account and portal private endpoints).
Scenario 3 - Scan data source securely using Managed Virtual Network You need to scan Azure data sources securely, without having to manage a virtual network or a self-hosted integration runtime VM. (Deploy managed private endpoint for Microsoft Purview, managed storage account and Azure data sources).

Frequently Asked Questions

For FAQs related to private endpoint deployments in Microsoft Purview, see FAQ about Microsoft Purview private endpoints.

Troubleshooting guide

For troubleshooting private endpoint configuration for Microsoft Purview accounts, see Troubleshooting private endpoint configuration for Microsoft Purview accounts.

Known limitations

To view list of current limitations related to Microsoft Purview private endpoints, see Microsoft Purview private endpoints known limitations.

Next steps