Edit

Cross-tenant connections using workspace-level private links

Workspace-level private links can be used to establish secure connections between workspaces in different Azure tenants, allowing for controlled data sharing and collaboration while maintaining strict security boundaries. To establish a connection from one tenant to a Fabric workspace in another tenant, you first create a Private Link service in the same tenant as your Fabric workspace. Then, in the tenant that requires access, you create a private endpoint that connects to the Fabric workspace using the established Private Link service. The following diagram illustrates this setup.

Diagram showing a private endpoint in Tenant 1 that connects to the private link service for the Fabric workspace in Tenant 2.

In this diagram:

  • Tenant 1 is the tenant that requires access. In this tenant, you create a virtual network, a virtual machine, and a private endpoint that is used to connect to the workspace in Tenant 2. Then you configure DNS to ensure proper name resolution.
  • Tenant 2 contains the Fabric workspace that Tenant 1 needs to access. In Tenant 2, you create the Private Link service for the workspace.

Note

  • Microsoft.Fabric Resource provider should be provisioned in both tenants to establish cross-tenant communication.

Step 1: Create a workspace in Fabric

In Tenant 2, create a workspace in Fabric. Make sure the workspace is assigned to a Fabric capacity. You can check assignment by going to the workspace settings and selecting Workspace type, as described in Step 1 of Reassign a workspace to a different capacity.

In Tenant 2, follow these steps to create the Private Link service for the new workspace. Once it's created, copy the private link service resource ID for use in Step 5. Create a private endpoint.

  1. Sign in to the Azure portal.

  2. From the Azure portal search bar, search for deploy a custom template and then select it in the search results.

  3. On the Custom deployment page, select Build your own template in the editor.

  4. In the editor, create a Fabric resource using the following ARM template, where:

    • <resource-name> is the name you choose for the Fabric resource.
    • <tenant-object-id> is your Microsoft Entra tenant ID. See How to find your Microsoft Entra tenant ID.
    • <workspace-id> is the ID for the workspace. You can find the workspace ID in the workspace URL, after the /groups/ segment.
    {
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.Fabric/privateLinkServicesForFabric",
      "apiVersion": "2024-06-01",
      "name": "<resource-name>",
      "location": "global",
      "properties": {
        "tenantId": "<tenant-id>",
        "workspaceId": "<workspace-id>"
      }
    }
  ]
}

You can find details about the Private Link service in the JSON file.

You can also find the private link service resource in the resource group, but you need to select Show hidden resources.

Step 3: Create a virtual network

In Tenant 1, follow these steps to create a virtual network.

  1. Sign in to the Azure portal.

  2. In the search box, enter Virtual networks and select it in the search results.

  3. On the Virtual networks page, select + Create.

  4. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Subscription Select your subscription.
    Resource group Select the resource group you created earlier for the private link service, such as test-PL.
    Name Enter a name for your virtual network, such as vnet-1.
    Region Select the region where you'll initiate the connection to Fabric.

    Screenshot of the Basics tab in Create a virtual network.

  5. Select Next to proceed to the Security tab. You can keep the default settings or modify them according to your organization's requirements.

  6. Select Next to proceed to the IP Addresses tab. You can keep the default settings or modify them according to your organization's requirements.

    Screenshot of the IP Addresses tab in Create a virtual network.

  7. Select Save.

  8. Select Review + create at the bottom of the screen. When validation passes, select Create.

Step 4: Create a virtual machine

In Tenant 1, follow these steps to create a virtual machine.

  1. Sign in to the Azure portal.

  2. Go to Create a resource > Compute > Virtual machines.

  3. On the Basics tab, enter or select the following information:

    Setting Value
    Subscription Select your Azure Subscription.
    Resource group Select the same resource group you used earlier when you created the private link service.
    Virtual machine name Enter a name for the new virtual machine. Select the info bubble next to the field name to see important information about virtual machine names.
    Region Select the same region you used previously when creating the virtual network.
    Availability options For testing, choose No infrastructure redundancy required
    Security Type Leave the default.
    Image Select the image you want. For example, choose Windows Server 2022.
    VM architecture Leave the default of x64.
    Size Select a size.
    Username Enter a username of your choosing.
    Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.
    Confirm password Reenter password.
    Public inbound ports Choose None.

    Screenshot of the create VM Basics tab.

  4. Select Next: Disks.

  5. On the Disks tab, leave the defaults and select Next: Networking.

  6. On the Networking tab, select the following information:

    Setting Value
    Virtual network Select the virtual network you created earlier for this deployment.
    Subnet Select the default subnet (for example, 10.0.0.0/24) that you created earlier as part of the virtual network setup.

    For the rest of the fields, leave the defaults.

    Screenshot of create VM Networking tab.

  7. Select Review + create. You're taken to the Review + create page where Azure validates your configuration.

  8. When you see the Validation passed message, select Create.

Step 5: Create a private endpoint

In Tenant 1, create a managed private endpoint in the virtual network you set up in Step 3. Configure this private endpoint to connect to the Private Link service you created in Step 2.

  1. Sign in to the Azure portal.

  2. From the Azure portal search bar, search for Private endpoints and select it in the search results.

  3. On the Network Foundation | Private endpoints page, select Private endpoints, and then select + Create.

  4. On the Basics tab of Create a private endpoint, enter or select the following information:

    Setting Value
    Subscription Select your Azure Subscription.
    Resource group Select the resource group you created earlier in [Step 2](#step-2- create-the-private-link-service-in-azure)
    Name Enter a unique name.
    Network interface name Enter a unique name.
    Region Select the region you created earlier for your virtual network.

  5. Select Next: Resource. On the Resource tab, enter or select the following information:

    Setting Value
    Connection method Select Connect to an Azure resource by resource ID or alias.
    Resource ID or alias Paste the resource ID you copied in [Step 2](#step-2-create-the- private-link-service-in-azure).
    Target sub-resource Select workspace.

    Screenshot showing the Create a private endpoint page with the option Connect to an Azure resource by resource ID or alias selected.

  6. Select Next: Virtual Network. On the Virtual Network tab, enter or select the following information:

    Setting Value
    Virtual network Select virtual network name you created earlier (for example vnet-1).
    Subnet Select the subnet name you created earlier (for example subnet-1).

  7. Select Next until the Review + create page appears, and then select Create.

Step 6: Approve the connection

In Tenant 2, the private link service owner for the workspace must approve the managed private endpoint request in Azure Network Foundation.

Screenshot showing the network connections pending approval.

Step 7: Configure DNS

In Tenant 1, configure DNS to resolve the Fabric workspace fully qualified domain name (FQDN) to the private endpoint IP address.

Note

Make sure the connection is approved as described in the previous step before proceeding.

  1. Sign in to the Azure portal.

  2. From the Azure portal search bar, search for Private endpoints and select it in the search results.

  3. On the Network Foundation | Private endpoints page, select Private endpoints, and then select the private endpoint.

  4. Select the DNS configuration tab. Note the DNS records that are required for the private endpoint.

    Screenshot showing the DNS configuration for the private endpoint.

  5. Create a private DNS zone privatelink.fabric.microsoft.com.

  6. In this private DNS zone, create the records that were listed in the previous step on the private endpoint DNS configuration page. For example, add a record set for API FQDN.

Step 8: Connect to the virtual machine

Azure Bastion protects your virtual machines by providing lightweight, browser-based connectivity without the need to expose them through public IP addresses. For more information, see What is Azure Bastion?.

Connect to your VM using the following steps:

  1. In the virtual network you created earlier, add a new subnet named AzureBastionSubnet.

    Screenshot of the create AzureBastionSubnet.

  2. In the portal's search bar, type the name of the virtual machine you created earlier, and select it from the search results.

  3. Select the Connect button, and choose Connect via Bastion from the dropdown menu.

    Screenshot of the Connect via Bastion option.

  4. Select Deploy Bastion.

  5. On the Bastion page, enter the required authentication credentials, then select Connect.

Step 9: Access Fabric privately from the virtual machine

Next, access Fabric privately from the virtual machine you created in the previous step. This step verifies that the private endpoint is correctly configured and that you can resolve the Fabric workspace FQDN to the private IP address.

  1. In the virtual machine, open the Command Prompt.

  2. Enter the following command:

    nslookup {workspaceid}.z{xy}.w.api.fabric.microsoft.com

    where workspaceid is the workspace object ID without dashes, and xy represents the first two characters of the workspace object ID.

  3. The private IP address is returned.

Step 10: Deny public access to the workspace

You can deny public access to the workspace in Tenant 2 to ensure that it can only be accessed through the private endpoint you created in Tenant 1.

To deny public access to the workspace, follow the steps in the private links setup article.

Cross-tenant communication is now established. Test the connection to ensure that you can access the workspace in Tenant 2 from the virtual machine in Tenant 1 using the workspace FQDN.

Note

This configuration allows secure network connectivity between tenants, but doesn't grant access to workspace resources by itself. Users must authenticate with valid credentials and have the necessary permissions in the tenant where the workspace resides to access data or services.

  • Last updated on