IT Admins, Security Engineers, Network Architects โ anyone responsible for securing connectivity to and from Microsoft Fabric in enterprise environments.
Zero-Trust Network Architecture
Microsoft Fabric is a SaaS platform, but enterprises still need strict network boundaries. Here's how to integrate Fabric into your corporate zero-trust posture.
Zero-trust means never trust, always verify. All traffic between users, Fabric, and data sources should traverse private channels โ disable public endpoints wherever possible.
๐ Inbound โ Users to Fabric
Control how users and applications connect to Fabric workspaces and services.
- Azure Private Link โ Route all user traffic through private endpoints in your VNet
- Conditional Access โ Entra ID policies enforce device compliance, location, MFA
- Tenant restrictions โ Prevent data exfiltration to unauthorized tenants
๐ Outbound โ Fabric to Data
Control how Fabric connects to your private data sources and external services.
- Managed Private Endpoints โ Fabric connects to your resources through Azure backbone, not public internet
- VNet Data Gateways โ Bridge Fabric to on-premises or VNet-isolated resources
- Trusted Workspace Access โ Allow firewalled Storage Accounts to trust Fabric
๐ก๏ธ Internal โ Between Services
Secure communication between Fabric components and Microsoft backbone services.
- Managed VNets โ Spark workloads run in Fabric-managed virtual networks with controlled egress
- Service tags โ NSG rules using
DataFactoryandPowerBIservice tags - Data encryption โ TLS 1.2+ in transit, Microsoft-managed keys at rest
Network Architecture Overview
๐ Learn More
Fabric Security Overview โPrivate Link for Fabric
Route all user and application traffic to Fabric through Azure Private Link โ keeping it off the public internet entirely.
How it works
- Create a Private Endpoint in your VNet targeting the
Microsoft.PowerBI/privateLinkServicesForPowerBIresource provider - Configure Private DNS Zones โ resolve
*.analysis.windows.net,*.pbidedicated.windows.net, and*.app.powerbi.comto private IPs - Block public access โ In the Fabric Admin Portal โ Tenant Settings, disable "Azure Private Link" toggle to block public access at tenant level
- Test connectivity โ Use
nslookuporResolve-DnsNamefrom within the VNet to confirm private resolution
Misconfigured DNS is the #1 cause of Private Link failures. Every client (including on-premises via VPN/ExpressRoute) must resolve Fabric endpoints to their private IP. Use Azure Private DNS Zones linked to the VNet, and configure DNS forwarders for on-premises clients.
# From a VM inside the VNet
Resolve-DnsName "yourworkspace.analysis.windows.net"
# Should return a private IP (10.x.x.x), NOT a public IP
# Verify from on-premises (must have DNS forwarder)
nslookup yourworkspace.analysis.windows.netRequirements & Limitations
| Aspect | Details |
|---|---|
| SKU requirement | F64 or higher capacity (or Power BI Premium P1+) |
| Tenant scope | Private Link applies to the entire tenant โ once enabled with public access blocked, all users must connect via private endpoints |
| DNS zones needed | privatelink.analysis.windows.net, privatelink.pbidedicated.windows.net, privatelink.app.powerbi.com |
| On-premises access | Requires ExpressRoute or VPN + DNS forwarders pointing to Azure Private DNS |
| Not supported | Publish to Web, email subscriptions to external users, some third-party embedding scenarios |
Managed Private Endpoints (MPE)
Secure outbound connections from Fabric to your private data sources โ without exposing them to the public internet.
What are Managed Private Endpoints?
When Fabric needs to read from resources that have public access disabled (like ADLS behind a firewall), you create a Managed Private Endpoint from the Fabric workspace. Fabric creates a private endpoint inside its managed VNet, and you approve it in the Azure Portal on the target resource.
Setup Steps
1. Enable Managed VNet
In Fabric workspace settings, enable Managed Virtual Network for Spark workloads. This is a prerequisite for MPE.
2. Create MPE
Workspace Settings โ Managed Private Endpoints โ + New. Select the target resource type and enter the Azure Resource ID.
3. Approve in Azure
Go to the target resource (e.g., Storage Account) โ Networking โ Private Endpoint Connections โ Approve the pending connection.
4. Use in Notebooks
Connect to the resource from Spark notebooks or pipelines. Traffic flows over Azure backbone via the approved private endpoint.
Supported Resource Types
| Azure Resource | Resource Provider | Sub-resource |
|---|---|---|
| Azure Data Lake Storage (ADLS Gen2) | Microsoft.Storage/storageAccounts | dfs |
| Azure SQL Database | Microsoft.Sql/servers | sqlServer |
| Azure Synapse Analytics | Microsoft.Synapse/workspaces | Sql, SqlOnDemand, Dev |
| Azure Key Vault | Microsoft.KeyVault/vaults | vault |
| Azure Cosmos DB | Microsoft.DocumentDB/databaseAccounts | Sql |
| Azure Cognitive Services / OpenAI | Microsoft.CognitiveServices/accounts | account |
| Azure Event Hubs | Microsoft.EventHub/namespaces | namespace |
When Managed VNet is enabled, Starter Spark pools are not available. Spark session start-up time increases because pre-warmed clusters cannot be used. Plan for capacity accordingly โ use F64+ SKUs and consider keeping sessions alive for iterative development.
๐ Learn More
Managed Private Endpoints โManaged Virtual Networks
Fabric-managed VNets provide network isolation for Spark workloads with controlled outbound access.
How Managed VNets Work
When enabled at the workspace level, Fabric provisions a Microsoft-managed virtual network for all Spark compute in that workspace. Outbound traffic is restricted โ Spark can only access destinations through approved Managed Private Endpoints or public endpoints you explicitly allow.
โ What is controlled
- All Spark notebook and pipeline outbound traffic
- Connections to Azure PaaS resources via MPE
- Egress to public internet (blocked by default)
- DNS resolution within the managed VNet
โ ๏ธ What is NOT covered
- SQL endpoint (Warehouse, SQL Analytics) โ uses separate connectivity
- Power BI / semantic models โ not in managed VNet
- Data Factory pipelines โ use VNet Data Gateways instead
- KQL / Eventhouse โ separate networking model
Enable Managed VNet on workspaces that process sensitive data via Spark. For workspaces doing only Power BI reporting or SQL queries, it's not needed and avoids the Spark startup penalty.
๐ Learn More
Managed VNets Overview โVNet Data Gateways
Connect Fabric to on-premises data sources and VNet-isolated Azure resources without installing software.
When to Use
VNet Data Gateways are the recommended approach when you need Fabric to reach resources inside a VNet that aren't accessible through Managed Private Endpoints โ for example, on-premises SQL Server via ExpressRoute, or Azure resources in peered VNets.
VNet Data Gateway
- No software to install โ fully managed by Microsoft
- Runs in a delegated subnet in your VNet
- Supports Dataflows Gen2, Semantic Models, Paginated Reports
- Accesses anything reachable from the subnet (on-prem via peering/ER)
On-Premises Data Gateway (classic)
- Software installed on a VM or server you manage
- Required for some legacy connectors
- Outbound HTTPS โ no inbound ports needed
- Consider only when VNet Data Gateway doesn't support your source
Setup Requirements
| Requirement | Details |
|---|---|
| Subnet delegation | Delegate a subnet to Microsoft.PowerPlatform/vnetaccesslinks โ minimum /28 CIDR |
| NSG rules | The delegated subnet needs outbound HTTPS (443) to Power BI service endpoints |
| VNet peering | For on-premises access, the VNet must be peered with hub VNet or have ExpressRoute/VPN |
| Capacity | Requires Fabric F2+ or Power BI Premium capacity |
| Region | Gateway must be in the same region as the Fabric capacity |
๐ Learn More
VNet Data Gateways โTrusted Workspace Access
Allow Fabric to access firewalled Azure Storage Accounts using workspace identity โ no public access or private endpoints required.
How it works
Azure Storage firewall can be configured to trust specific resource instances. By registering Fabric workspace identities, you allow OneLake shortcuts and Spark to access the storage โ even when "Allow public access" is OFF.
# 1. Get the Fabric workspace identity (ARM resource ID)
# Found in Workspace Settings โ Azure tab
# 2. Add it as a resource instance rule on the Storage Account
az storage account network-rule add \
--account-name mystorageaccount \
--resource-group myRG \
--resource-id "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Fabric/workspaces/{workspaceId}" \
--tenant-id "{tenantId}"
# 3. Verify the Storage Account firewall settings
az storage account show --name mystorageaccount \
--query "networkRuleSet.resourceAccessRules"Trusted Workspace Access is simpler for OneLake shortcuts and basic Spark access to ADLS. Managed Private Endpoints are needed for SQL databases, Key Vault, Cosmos DB, and any non-storage resource that requires private connectivity.
๐ Learn More
Trusted Workspace Access โConditional Access & Tenant Policies
Use Entra ID Conditional Access and Fabric Tenant Settings to enforce who, from where, and how users access Fabric.
๐ Location-Based Policies
- Block access from non-corporate IP ranges
- Require VPN/Private Link for sensitive workspaces
- Geo-fence to specific countries
๐ฑ Device Compliance
- Require Intune-compliant or Hybrid AD-joined devices
- Block access from unmanaged/personal devices
- Enforce app protection policies on mobile
๐ Authentication Strength
- Require phishing-resistant MFA (FIDO2, Windows Hello)
- Step-up authentication for admin operations
- Session controls (sign-in frequency, persistent browser)
๐ซ Tenant Restrictions
- Prevent users from accessing other organizations' Fabric tenants
- Block guest access to sensitive workspaces
- External sharing policies per workspace
At minimum, configure: (1) Require MFA for all Fabric users, (2) Block access from non-compliant devices, (3) Restrict admin portal access to named locations. These three policies prevent the majority of identity-based attacks.
๐ Learn More
Conditional Access for SaaS โNetworking Decision Matrix
Choose the right networking approach based on your security requirements and workload type.
| Scenario | Recommended Approach | SKU Minimum | Complexity |
|---|---|---|---|
| Users access Fabric from corporate network only | Private Link + block public access | F64 | ๐ก Medium |
| Spark reads from firewalled ADLS | Managed Private Endpoints (MPE) | F64 | ๐ก Medium |
| OneLake shortcuts to firewalled storage | Trusted Workspace Access | F2 | ๐ข Low |
| Dataflows connecting to on-premises SQL | VNet Data Gateway | F2 | ๐ก Medium |
| Full zero-trust (all traffic private) | Private Link + MPE + Managed VNet + CA | F64 | ๐ด High |
| Development / non-sensitive workloads | Public endpoints + Conditional Access + MFA | F2 | ๐ข Low |