question

WojciechJakubowski-4113 avatar image
1 Vote"
WojciechJakubowski-4113 asked WojciechJakubowski-4113 commented

Azure Data Factory private endpoint - portal subresource

Dear Microsoft,

What is the purpose of "portal" subresource for ADF private endpoint?

In the documentation I can see the following statement: "If you want to use the private endpoint for command communications between the self-hosted integration runtime and the Azure Data Factory service, select datafactory as Target sub-resource. If you want to use the private endpoint for authoring and monitoring the data factory in your virtual network, select portal as Target sub-resource."

Also, there is: "You can still access the Azure Data Factory portal through a public network after you create private endpoint for portal."

I have created ADF with private endpoint-only connectivity, created a private link of type "portal" and was still able to login to the portal and modify & run pipelines from the public internet.

That being said, what is the purpose of this endpoint for the "portal" subresource? What do I get by creating it and paying $7 per month?


Thx

azure-data-factoryazure-private-link
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MatthiasNohl avatar image
0 Votes"
MatthiasNohl answered WojciechJakubowski-4113 commented

Hi,
had the some questions....

The private endpoint is used for the SHIR.

Support:
"Shared the below documentations and informed that we can still access the Azure Data Factory portal through a public network after you create private endpoint for portal.
131917-image.png
https://docs.microsoft.com/en-us/azure/data-factory/data-factory-private-link
And if use SHIR or azure managed Vnet IR then the communication will happen via private link and use private IPs configured for their ADF."



image.png (9.5 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@wojciechjakubowski-4113 Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Thanks
Saurabh

0 Votes 0 ·

Would love to whenvever I get my question answered :)

0 Votes 0 ·

Thank you for your comment but it does not answer my question.

0 Votes 0 ·
SaurabhSharma-msft avatar image
1 Vote"
SaurabhSharma-msft answered WojciechJakubowski-4113 commented

Hi @wojciechjakubowski-4113,

Ok. Let me try to clarify the purpose of the portal sub resource -
If you are working from a VNet environment, like lets say you are using VMs in the Azure VNet as your development machines. If VNet is locked for any external access which is in many enterprise scenarios then users will not be able to access ADF’s UX. So, in that case to enable access to ADF portal user needs to create PE in their VNet.

Please let me know if any other questions.

Thanks
Saurabh

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SaurabhSharma-msft
That's true, but the UX of ADF is always accessible via public internet :) Even in a enterprise environment there is no way to block public internet access. The private endpoint will only be consumed via SHIR.
Best
Matthias

0 Votes 0 ·

Hi,

I don't think that is correct.

Yes, I do have network isolation (all my azure resources are only available from VNET). One of these resources is ADF, for which I have two endpoints created (dataFactory and portal sub resource types). And yet, despite that, ADF portal is accessible from the internet.

And just to be clear, I am not saying sth is broken or doesn't work as expected. ADF docs clearly say it works that way public portal access from internet despite private endpoint, so you are covered ;)

My question is more like: given how it works, what this the point of it? What value do I get from having such a PE?

Thx,
Wojciech

0 Votes 0 ·