Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Get certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now

Reply
rajat-srivastav
Frequent Visitor

Managed private endpoint with private storage account not working

Hi,

I have been trying to access a Storage Account (ADLS gen2) from Fabric workspace. I have created managed private endpoints in the workspace setting and approved the request on the Storage Account. 

rajatsrivastav_1-1718348855135.png

 

As soon as I disable the "public network access" on the storage account, the existing connection goes into failed status and if I try to create new connection "invalid credentials" is prompted.

rajatsrivastav_0-1718348769059.png 

I know we dont need to, but I also tried using "privatelink" in the server url.

 

Just to be double sure, I also tried lisiting the content of the storage account using notebooks. I got the same results again, when the public access is enabled, I am able to list the content but when it is deisabled I am not.

 

Is there something I am missing? I have gone through all the documentations for managed private endpoints and have not found much help.

1 ACCEPTED SOLUTION

Hi @rajat-srivastav 

 

As mentioned earlier, Fabric's managed private endpoints cannot currently access storage accounts that have public network access disabled. While the current implementation doesn't fully utilize managed private endpoints for storage accounts with disabled public access, could be possible in near future while we don't have any ETA. For now, using firewall rules on your storage account provides a secure alternative.

 

However, your suggestion is definitely valuable! We use customer feedback like yours to prioritize future features. The more users who request the ability to customize backgrounds, the higher it moves on our list.

Appreciate if you could share the feedback on our Microsoft Fabric Ideas. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

 

I hope this information helps.


Thank you

View solution in original post

6 REPLIES 6
v-cboorla-msft
Community Support
Community Support

Hi @rajat-srivastav 

 

Thanks for using Microsoft Fabric Community.

As I understand that you are having trouble accessing a Storage Account (ADLS gen2) from your Fabric workspace using managed private endpoints.

 

Yes, disabling public network access for your ADLS gen2 storage account cuts off access from Microsoft Fabric it is a expected behavior, currently doesn't support Virtual Network (VNet) integrations with private endpoints.

 

Public Network Access: Fabric workspaces that have a workspace identity can securely access ADLS Gen2 accounts with public network access enabled from selected virtual networks and IP addresses. If you disable public network access on the storage account, it might cause the connection to fail because disabling public network access on the storage account blocks all connections from the public internet, including those from Fabric workspace by default.

For more details please refer : Trusted workspace access in Microsoft Fabric - Microsoft Fabric | Microsoft Learn

 

Re-enable Public Network Access (with Firewall Rules): You can re-enable public network access and configure firewall rules on the storage account. However, remember to configure firewall rules to restrict access only to trusted sources (like Fabric workspace IP addresses). This allows access only from specific IP addresses or virtual networks, including the one where your Fabric workspace resides. While there isn't a direct solution using managed private endpoints within Fabric at the moment.

Refer to Microsoft's documentation on configuring Azure Storage firewalls for details: Configure Azure Storage firewalls and virtual networks | Microsoft Learn

 

I hope this information helps.

 

Thank you.

Microsoft does a terrible job on Microsoft Fabric releases, so many new features in GA are not working. Workspace Identity to access Azure Storage Account With Firewall Enabled does not work, and shows a nonintuitive error message: 'You are not authorized to perform these operations....'

 

Hi, @v-cboorla-msft 

 

But if that is so, then what is even the point of creating Managed Private Endpoint in Fabric (for Storage account). I could simply use the 'selected virtual network and IP addresses' in the Storage Account's firewall and use ADLS in my notebooks and pipelines like that. Isn't the entire concept of creating managed private endpoint to allow secure access to resources?

Even if Fabric is using the managed private endpoint over private link to connect to Storage Account, I have to allow public access on the storage account anyway.

 

Please let me know what am I missing?

 

Regards,

Rajat

Hi @rajat-srivastav 

 

As mentioned earlier, Fabric's managed private endpoints cannot currently access storage accounts that have public network access disabled. While the current implementation doesn't fully utilize managed private endpoints for storage accounts with disabled public access, could be possible in near future while we don't have any ETA. For now, using firewall rules on your storage account provides a secure alternative.

 

However, your suggestion is definitely valuable! We use customer feedback like yours to prioritize future features. The more users who request the ability to customize backgrounds, the higher it moves on our list.

Appreciate if you could share the feedback on our Microsoft Fabric Ideas. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

 

I hope this information helps.


Thank you

Hi @rajat-srivastav 

 

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond back with the more details and we will try to help.

 

Thank you.

Hi @rajat-srivastav 

 

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others .
If you have any question relating to the current thread, please do let us know and we will try out best to help you.
In case if you have any other question on a different issue, we request you to open a new thread.

 

Thank you.

Helpful resources

Announcements
November Carousel

Fabric Community Update - November 2024

Find out what's new and trending in the Fabric Community.

Live Sessions with Fabric DB

Be one of the first to start using Fabric Databases

Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.

November Update

Fabric Monthly Update - November 2024

Check out the November 2024 Fabric update to learn about new features.

Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.