Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Private Link is a network security feature of the Fabric platform that provides secure access for data traffic in Fabric. By integrating Eventstream with the Private Links, it enables secure, private connectivity between your data sources and Microsoft Fabric—without exposure to the public internet.
Fabric supports private links at both the tenant level and the workspace level:
- Tenant-level private links provide network policy to the entire tenant.
- Workspace-level private links provide granular control, making it possible to restrict access to certain workspaces while allowing the rest of the workspaces to remain open for public access.
Tenant private link
There are two tenant settings in the Fabric admin portal involved in Private Link configuration:
Azure Private Links
Block Public Internet Access
If Azure Private Link is enabled and Block Public Internet Access is enabled:
- Supported Fabric items are only accessible for your organization from private endpoints, and aren't accessible from the public Internet.
- Traffic from the virtual network targeting endpoints and scenarios that support private links are transported through the private link.
- Traffic from the virtual network targeting endpoints and scenarios that don't support private links are blocked by the service.
- There could be scenarios that don't support private links, which are blocked at the service when Block Public Internet Access is enabled.
If Azure Private Link is enabled and Block Public Internet Access is disabled:
- Traffic from the public Internet is allowed by Fabric services.
- Traffic from the virtual network targeting endpoints and scenarios that support private links are transported through the private link.
- Traffic from the virtual network targeting endpoints and scenarios that don't support private links is transported through the public Internet, and is allowed by Fabric services.
- If the virtual network is configured to block public Internet access, scenarios that don't support private links are blocked by the virtual network.
To set up and use a tenant-level private link, see Set up and use tenant-level private links
Workspace Private Link
A workspace-level private link maps a workspace to a specific virtual network using the Azure Private Link service. With this integration in Eventstream, it allows you to restrict public internet access and enforce access only through approved virtual networks via private links. This ensures that data streaming into Eventstream is tightly controlled and protected from unauthorized access.
To set up and use a workspace-level private link, see Set up and use workspace-level private links.
Supported scenarios
Currently, when tenant or workspace level private link is enabled, you can only create and manage Eventstream using Fabric REST APIs. Eventstream APIs use a graph-like structure to define an Eventstream item, which consists of two key components: source and destination. The following table shows the currently supported scenarios for Private Link. Note: If you include an unsupported component in the Eventstream API payload, it might result in failure.
| Source / Destination | Category | Type | Private Link support |
|---|---|---|---|
| Sources | Azure streams | Azure Event Hubs | Yes |
| Azure IoT Hub | Yes | ||
| Azure Service Bus | Yes | ||
| Azure Data Explorer DB | Yes | ||
| Basic | Custom Endpoint | No | |
| Sample data | Yes | ||
| Weather data | Yes | ||
| External streams | Confluent Cloud for Apache Kafka | Yes | |
| Amazon Kinesis | Yes | ||
| Amazon MSK Kafka | Yes | ||
| Apache Kafka | Yes | ||
| Google Cloud Pub/Sub | Yes | ||
| Solace PubSub+ | Yes | ||
| MQTT | Yes | ||
| Database CDC | Azure Cosmos DB | Yes | |
| PostgreSQL DB | Yes | ||
| Azure SQL DB | Yes | ||
| Azure SQL MI DB | Yes | ||
| MySQL DB | Yes | ||
| SQL Server on VM DB | Yes | ||
| Fabric events | Workspace item events | Yes | |
| OneLake events | Yes | ||
| Fabric job events | Yes | ||
| Capacity events | Yes | ||
| Azure events | Azure Blob Storage | No | |
| Azure Event Grid | No | ||
| Destinations | Fabric destinations | Lakehouse | Yes |
| Eventhouse (preprocessing mode) | Yes | ||
| Eventhouse (direct ingestion mode) | No | ||
| Data Activator | No | ||
| Custom Endpoint | No |