This article is contributed. See the original author and article here.
Earlier this week, we released a feature in Purview to use private endpoints for your accounts. Implementing this feature can unlock the following for you:
1. You can use private endpoints to allow clients and users on a virtual network (VNet) to securely access the Purview Data Catalog over a Private Link.
2. The private endpoint uses an IP address from the VNet address space for your Azure Purview account.
3. Network traffic between the clients on the VNet and the Purview account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
4. You can also ensure network isolation for your metadata flowing from the source which is being scanned to the Purview Data Map using ingestion Private endpoints.
Now let’s get started. Below is some helpful guidance to set this up within your own environment.
Creating a new Azure Purview account with Private Endpoints for the account & portal
Navigate to the Azure portal and then to your Purview account.
Fill basic information, and set connectivity method to Private endpoint in Networking tab. Set up your ingestion private endpoints by providing details of Subscription, Vnet and Subnet that you want to pair with your private endpoint.
Create an ingestion private endpoint only if you intend to enable network isolation for end-to-end scan scenarios, for both your Azure and on-premises sources. We currently do not support ingestion private endpoints working with your AWS sources.
You can also optionally choose to set up a Private DNS zone for each ingestion private endpoint.
Click Add to add a private endpoint for your Purview account.
In the Create private endpoint page, set Purview sub-resource to account, choose your virtual network and subnet, and select the Private DNS Zone where the DNS will be registered (you can also utilize your own DNS servers or create DNS records using host files on your virtual machines).
Create a private endpoint for the Azure Purview studio
Navigate to the Purview account you just created, select the Private endpoint connections under the Settings section.
Click +Private endpoint to create a new private endpoint.
Fill in basic information.
In Resource tab, select Resource type to be Microsoft.Purview/accounts.
Select the Resource to be the newly created Purview account and select target sub-resource to be portal.
Select the virtual network and Private DNS Zone in the Configuration tab. Navigate to the summary page, and click Create to create the portal private endpoint.
Ingestion private endpoints and scanning sources in private networks, virtual networks and behind private endpoints
If you want to ensure network isolation for your metadata flowing from the source which is being scanned to the Purview Data Map, then you must follow these steps:
Enable an ingestion private endpoint by following steps in this section of the documentation.
Scan the source using a self-hosted IR.
- All on-premises source types like SQL server, Oracle, SAP and others are currently supported only via self-hosted IR based scans. The self-hosted IR must run within your private network and then be peered with your Vnet in Azure. Your Azure vnet must then be enabled on your ingestion private endpoint by following steps here.
- For all Azure source types like Azure blob storage, Azure SQL Database and others, you must explicitly choose running the scan using self-hosted IR to ensure network isolation. Follow steps here to set up a self-hosted IR. Then set up your scan on the Azure source by choosing that self-hosted IR in the connect via integration runtime dropdown to ensure network isolation.
You can also set up private endpoints on your existing Purview accounts. To learn about this and more read our full documentation here today!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.