Callout policy

Azure Data Explorer clusters can communicate with external services in many different scenarios. Cluster admins can manage the authorized domains for external calls, by updating the cluster's callout policy.

Callout policies are being managed at cluster-level and are classified into the following types.

Callout policy is composed of the following.

  • CalloutType - Defines the type of the callout, and can be one of above listed types.
  • CalloutUriRegex - Specifies the permitted Regex of the callout's domain
  • CanCall - Indicates whether the callout is permitted external calls.

Predefined callout policies

The table shows a set of predefined callout policies that are preconfigured on Azure Data Explorer clusters to enable callouts to selected services.

Service Designation Permitted domains
Kusto Cross cluster queries [a-z0-9]{3,22}\\.(\\w+\\.)?kusto\\.windows\\.net/?$
[a-z0-9]{3,22}\\.(\\w+\\.)?kustomfa\\.windows\\.net/?$
Azure DB SQL requests [a-z0-9][a-z0-9\\-]{0,61}[a-z0-9]?\\.database\\.windows\\.net/?$

More predefined policies on your cluster may be observed with next query:

.show cluster policy callout 
| where EntityType == 'Cluster immutable policy'
| project Policy

Control commands

The commands require AllDatabasesAdmin permissions.

Show all configured callout policies

.show cluster policy callout

Alter callout policies

.alter cluster policy callout @'[{"CalloutType": "sql","CalloutUriRegex": "sqlname\\.database\\.azure\\.com/?$","CanCall": true}]'

Add a set of permitted callouts

.alter-merge cluster policy callout @'[{"CalloutType": "sql","CalloutUriRegex": "sqlname\\.database\\.azure\\.com/?$","CanCall": true}]'

Delete all non-immutable callout policies

.delete cluster policy callout