You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/synapse-workspace-managed-vnet.md
+29-4Lines changed: 29 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,8 +32,8 @@ If your workspace has a Managed workspace Virtual Network, Data integration and
32
32
33
33
Dedicated SQL pool and serverless SQL pool are multitenant capabilities and therefore reside outside of the Managed workspace Virtual Network. Intra-workspace communication to dedicated SQL pool and serverless SQL pool use Azure private links. These private links are automatically created for you when you create a workspace with a Managed workspace Virtual Network associated to it.
34
34
35
-
>[!IMPORTANT]
36
-
>You can't change this workspace configuration after the workspace is created. For example, you can't reconfigure a workspace that doesn't have a Managed workspace Virtual Network associated with it and associate a Virtual Network to it. Similarly, you can't reconfigure a workspace with a Managed workspace Virtual Network associated to it and disassociate the Virtual Network from it.
35
+
>[!IMPORTANT]
36
+
>You can't change this workspace configuration after the workspace is created. For example, you can't reconfigure a workspace that doesn't have a Managed workspace Virtual Network associated with it and associate a Virtual Network to it. Similarly, you can't reconfigure a workspace with a Managed workspace Virtual Network associated to it and disassociate the Virtual Network from it.
37
37
38
38
## Create an Azure Synapse workspace with a Managed workspace Virtual Network
39
39
@@ -43,8 +43,8 @@ To create an Azure Synapse workspace that has a Managed workspace Virtual Networ
43
43
44
44
If you leave the checkbox unchecked, then your workspace won't have a Virtual Network associated with it.
45
45
46
-
>[!IMPORTANT]
47
-
>You can only use private links in a workspace that has a Managed workspace Virtual Network.
46
+
>[!IMPORTANT]
47
+
>You can only use private links in a workspace that has a Managed workspace Virtual Network.
48
48
49
49
:::image type="content" source="./media/synpase-workspace-ip-firewall/azure-synapse-analytics-networking-managed-virtual-network-outbound-traffic.png" lightbox="./media/synpase-workspace-ip-firewall/azure-synapse-analytics-networking-managed-virtual-network-outbound-traffic.png" alt-text="Screenshot of the Create Synapse workspace networking page, with the Managed virtual network option Enabled and the Allow outbound data traffic only to approved targets option to Yes.":::
50
50
@@ -62,6 +62,31 @@ After the workspace is created, you can check whether your Azure Synapse workspa
62
62
63
63
:::image type="content" source="./media/synpase-workspace-ip-firewall/azure-synapse-analytics-overview-managed-virtual-network-enabled.png" lightbox="./media/synpase-workspace-ip-firewall/azure-synapse-analytics-overview-managed-virtual-network-enabled.png" alt-text="Screenshot of the Azure Synapse workspace overview page indicating that a managed virtual network is enabled.":::
64
64
65
+
## Integration Runtime behavior with Managed Virtual Network and Data Exfiltration Protection
66
+
67
+
When an Azure Synapse workspace is created with Managed Virtual Network and Data Exfiltration Protection (DEP) enabled, data movement and external data access are designed to run through the Managed Virtual Network Integration Runtime (VNET IR).
68
+
69
+
Using VNET IR ensures that:
70
+
71
+
- Data access is routed through the managed virtual network boundary
72
+
73
+
- Outbound connectivity is restricted to approved targets
74
+
75
+
- Managed private endpoints are used for external resource access
76
+
77
+
- DEP security controls are enforced consistently across pipeline activities and data operations
78
+
79
+
In DEP-enabled workspaces, VNET IR should be used for pipelines, linked services, and activities that access external data sources.
80
+
81
+
> [!NOTE]
82
+
> In certain scenarios, due to a known production issue, a DEP-enabled workspace may still allow artifacts (such as pipelines, linked services, or activities) to reference a public Azure Integration Runtime (Azure IR) in certain cases. Azure IR can access data sources over public network paths, which does not align with the intended Data Exfiltration Protection model.
83
+
>
84
+
> Customers should review Integration Runtime references in DEP-enabled workspaces and update them to use Managed Virtual Network Integration Runtime. Warning indicators may appear in the Synapse UI when Azure IR is referenced in a DEP-enabled workspace.
85
+
>
86
+
> For Webhook activities, Integration Runtime usage can be enabled through the workspace tag **enable_webhookonir**, after which a VNET IR can be selected in the UI.
87
+
>
88
+
>If public network access is required, use a workspace without DEP enabled instead of mixing Azure IR with a DEP-enabled workspace.
89
+
65
90
## Related content
66
91
67
92
- Create an [Azure Synapse Workspace](../quickstart-create-workspace.md)
0 commit comments