Are you also trying to create a PE linked to a "Private Link Service", or what backend service type are you trying to connect to?

Sorry for the delay. Yea, the resource type is an Azure "Private Link Service" that I'm trying to connect to with Fabric's private endpoint. 

Sounds like we are both struggling with the same thing. My ongoing support ticket with PowerBI/Fabric support keeps saying that "Private Link" in admin tenant settings needs to be enabled, which is for enabling private access into Fabric. But they also keep referring me to documentation about creating a PL into Fabric, which is not what I am trying to do.  So, I really do not think that is the issue.  Seems like support cannot differentiate PL for Fabric vs a PLS.

Are you able to try enabling "Private Link" in your Tenant Admin settings?  Our PowerBI admins will not enable it because some of the limitations defined here: https://learn.microsoft.com/en-us/fabric/security/security-private-links-overview#other-consideratio...

I am going to try on my personal Azure account later today when i get a chance.  I just want to rule that out.

HI @Digidank ,

Sorry it seems like I confused the Azure private link service and private links. For your scenario, perhaps you can open a ticket on support page to contact the Dev team to ensure if managed Private Endpoint supports azure private link service.

Microsoft Fabric Support and Status | Microsoft Fabric

Regards,

Xiaoxin Sheng

No worries @v-shex-msft!  I have an open ticket i've been going back and forth on.  Will be doing a teams/screensharing call today with support.  I will be sure to keep updating this as i get more info.

I can also confirm that just as you @Digidank , I have no problem creating Private Endpoints in Fabric to other Azure services. Just successfully added one to a storage account without problem.

I've also tried to create a spark pool in Synapse in the same Azure tenant as my PLS, and from Synapse, I can successfully connect to my PLS (even manually, using the exact same Resource ID as I'm trying to use from Fabric.

All my attempts from Fabric returns HTTP error 400 (InvalidRequest, pbi.error), regardless if I misstype the servicename or enter the correct servicename.

I've tried now to enable Private Link under Tenant Admin settings, waited 30 min, but still get the same error.

Thank you so much for posting.  I was probably about to waste a month of time with support as well.  Any chance you have a case identifier, like an SR number or ICM number?  I may want to follow-up but don't necessarily want to start from scratch.

I also assumed that this would work, and I see no way of connecting Fabric to our VNet integrated Azure MySQL without it.

I've created an Ideas submission here, please upvote it! https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=a2c6eb27-727a-ef11-a4e6-000d3a7b101f

Hi @Digidank,

Thanks for sharing these detail information here. I think they will help other user to clarify this scenario.

Regards,

Xiaoxin Sheng

Most recent update:

Hello Josh,

Hope you are doing well!

The Product team has informed us that currently, there is no estimated time of arrival (ETA) for updating of the Document. There's a possibility we might receive an update on the ETA by the end of this month, but this is a provisional internal timeline and not guaranteed. Once the ETA is established, the public documentation will be updated accordingly.

Please let me know if you have any other concerns. Based on your response we will proceed with the case.

@Digidank 

Do you have a ticket open?  DId they update the docs to say that PLS is not supported?

The docs are pretty poor.  The only relevant thing I can find is like so:

https://learn.microsoft.com/en-us/fabric/security/security-managed-private-endpoints-overview#limita...

Creating a managed private endpoint with a fully qualified domain name (FQDN) is not supported.

These limitations and considerations might affect your use cases and workflows. Take them into account

This doesn't specifically talk about PLS, but the FQDN part is often a show-stopper for PLS.

Not sure if anyone else has tried to create a PLS private endpoint by going around the back door.  But it doesn't work, from what I've tried.   Image:

I've been able to create PE requests for blob and other resources, but it never succeeds when I try to create one for PLS, with a blank group ID and a FQDN.  I think we are at the mercy of whatever team is sitting on this request. 
IMO, It seems like a pretty basic requirement.  Private link service is a pretty fundamental component in azure nowadays, and was intended to be used for precisely this sort of scenario.

Again, it took the Synapse team about a year to create the U/I that allows this PLS connectivity to work, and I am guessing the Fabric team will take the same a similar amount of time.  It would be nice if they could give a "back-door" approach that circumvents the U/I, as a temporary solution.  For some reason U/I teams in the cloud seem to be extremely slow at what they do. Back-door options include a REST api, or powershell command or similar.

Wahted to re-iterate that a pipeline activity "copy activity" might be the best way to work around the missing PLS.  Ie. you have to go thru a round-about approach that sends the data from a service thru an ADLS storage account (temp files) before it is accessible from Fabric.

This unfortunately can cost more money, and has more moving parts (on premise gateway).

More details on reddit:
https://www.reddit.com/r/MicrosoftFabric/comments/1er2z51/invalidrequest_when_adding_a_private_link_...

I was able to get in touch with a Mindtree engineer about this today (12/17/2024):

I have an update for you from my PG, they informed me that as of now there is no ETA for this deployment as currently there is a deployment freeze. And they have provided below platforms where we can check for the latest update directly from the product team.

And I also checked for workaround but they informed me that there is not workaround and PG team is working on it to bring it as soon as possible.

https://blog.fabric.microsoft.com/en-us/blog/
https://blog.fabric.microsoft.com/en-us/blog/category/roadmap

As a side,  I looked at the roadmap and it goes to the end of Q1 2025.  It is reasonable to assume they are NOT committed to fixing the PLS private endpoints before the end of Q1.  Unfortunately we are already planning to get workloads out of Synapse before then... so we must stumble our way thru this in one way or another.  I'm guessing we will have to retrieve this service-hosted data by way of data-factory-pipelines or some other wierdness.  I guess this is par for the course, when building a solution inside of a SaaS. 

I found a full list of supported connections via MPE, and private-link service is not one of them:

https://learn.microsoft.com/en-us/fabric/security/security-managed-private-endpoints-create#supporte...

I can say from my past experience (in Synapse) that it took far longer then I thought it would to add support for MPE's to private link service.  I think we were talking to Microsoft for almost 18 months before they finally added MPE's to PLS.  The additional complexity (compared to other types of data sources) is very minimal, eg. the ability to specify FQDN's.    I think the folks who are the biggest bottlenecks are the ones writing the U/I interactions.  Perhaps we should be asking for a REST API to manage our MPE's and that might allow us to get to the finish line  a lot sooner, without placing a dependency on any of the front-end web developers.

Thanks for the update, Josh.

Do they mean that they might get back with an ETA when documentation is updated to clearly say PLS is *not* supported, or do they mean they might get back with an ETA when it *will be* supported?

I've also opened a support ticket, which first came back with the same suggestion to enable Private Link ect. It's now been escalated to "next level", but I assume they will get back with same info as you got, but hopefully it can help raise the priority on the issue if more people report it as a major showstopper.