Exam DP203 Synapse Analytics Security: Difference between revisions
No edit summary |
|||
| Line 11: | Line 11: | ||
'''Azure Virtual Network (VNet)'''. Allows Azure resources to communicate with other Azure resources, local machine, and on-premise networks. | '''Azure Virtual Network (VNet)'''. Allows Azure resources to communicate with other Azure resources, local machine, and on-premise networks. | ||
'''Managed workspace Virtual Network''' is managed by Synapse Analytics. No need to configure inbound network security groups, nor subnets for Spark. Prevents data exfiltration. Allows you to create '''Managed private endpoints'''. | '''Managed workspace Virtual Network''' is managed by Synapse Analytics, and can only be enabled at the point the workspace is created (a checkbox). It offers the following: | ||
* No need to configure inbound network security groups, nor subnets for Spark. | |||
* Prevents data exfiltration. | |||
* Allows you to create '''Managed private endpoints'''. | |||
* Provides user-level isolation for Spark activities because each Spark cluster is in its own subnet. | |||
Dedicated SQL pool and serverless SQL pool are multi-tenant capabilities and therefore reside outside of the Managed workspace - to communicate between these, use '''Azure private links'''. | |||
== Private Endpoints == | |||
In Synapse Studio, in the '''Manage''' tab, click on "Private Endpoints" on the left hand side. This allows you to set private endpoints up. | |||
Only available if the workspace is enabled for Managed Workspace Virtual Network. | |||
Allows connection to other Azure services, e.g. Azure Cosmos DB, over a "private link". Note that traffic doesn't go outside Microsoft's backbone network. | |||
Private endpoints are mapped to a specific resource in Azure and not the entire service. | |||
Revision as of 23:27, 18 November 2024
Synapse Analytics Security
Firewall rules
Determines what type of traffic a client IP address has to the Synapse workspace. Applies to all public endpoints. Create rules of IP address ranges in the Azure Portal properties window of the workspace.
Make sure that the firewall on your network and local computer allows outgoing communication on TCP ports 80, 443 and 1443 for Synapse Studio.
Also, you need to allow outgoing communication on UDP port 53 for Synapse Studio. To connect using tools such as SSMS and Power BI, you must allow outgoing communication on TCP port 1433.
Virtual Networks
Azure Virtual Network (VNet). Allows Azure resources to communicate with other Azure resources, local machine, and on-premise networks.
Managed workspace Virtual Network is managed by Synapse Analytics, and can only be enabled at the point the workspace is created (a checkbox). It offers the following:
- No need to configure inbound network security groups, nor subnets for Spark.
- Prevents data exfiltration.
- Allows you to create Managed private endpoints.
- Provides user-level isolation for Spark activities because each Spark cluster is in its own subnet.
Dedicated SQL pool and serverless SQL pool are multi-tenant capabilities and therefore reside outside of the Managed workspace - to communicate between these, use Azure private links.
Private Endpoints
In Synapse Studio, in the Manage tab, click on "Private Endpoints" on the left hand side. This allows you to set private endpoints up.
Only available if the workspace is enabled for Managed Workspace Virtual Network.
Allows connection to other Azure services, e.g. Azure Cosmos DB, over a "private link". Note that traffic doesn't go outside Microsoft's backbone network.
Private endpoints are mapped to a specific resource in Azure and not the entire service.