Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

zhenxilin
‎04-20-2026 09:00 AM

Secure your data streams: How to choose the right network security feature in Eventstream

Eventstream in Fabric Real-Time Intelligence stream data from both inside and outside the Fabric platform. When your external sources sit behind firewalls or in private networks, choosing the right network security feature is essential. This post breaks down the available options in Eventstream and helps you determine which one fits your scenario.

Understanding network traffic direction

Network traffic in Eventstream falls into three categories based on where the connection initiates. Understanding how network traffic flows to and from Fabric — and where the connection is initiated — helps you determine whether extra network security features are required and which option to use.
  • Internal traffic flows between Eventstream and other Fabric items — such as Lakehouses, Weather feeds, or Fabric events. These connections stay within the Fabric security boundary. They're protected by Microsoft Entra ID authentication, workspace permissions, and encryption at rest and in transit. No extra network security configuration is needed.
  • Inbound traffic refers to external data sources initiating connections to push data into Eventstream — for example, your Azure Event Gird pushing system events to Eventstream or your own Custom Application pushing data to Eventstream.
  • Outbound traffic occurs when Eventstream reaches out to pull data from external sources, such as Azure Event Hubs, Apache Kafka, or database change data capture (CDC) sources.
A_diagram_of_showing_how_network_traffic_direction_is_labeled_for_various_EventsA_diagram_of_showing_how_network_traffic_direction_is_labeled_for_various_EventsFigure: Diagram showing how network traffic direction is labeled for various Eventstream source–destination pairs.

Three network security features

Eventstream provides three network security features: managed private endpoints; tenant and workspace private links; and streaming connector virtual network injection. Each addresses a different traffic direction and data sources.

Managed Private Endpoints (Generally Available)

Managed Private Endpoints handle outbound network connections to Azure Event Hubs and Azure IoT Hub that aren't publicly accessible. When you create a managed private endpoint, Fabric automatically provisions a managed virtual network, allowing Eventstream to retrieve data over a private connection without traversing the public internet.

To learn more, refer to Connect to Azure resources securely using managed private endpoints.

Tenant and workspace private links

Private links are inbound security features that use Azure Private Link to ensure traffic only from approved virtual networks can reach Eventstream. Tenant-level private links apply across all workspaces in your Fabric tenant; use them when your organization requires a company-wide security policy. Workspace-level private links provide granular control, letting you lock down specific workspaces while keeping others open for public access.

To learn more, refer to Secure inbound connections with Tenant and Workspace Private Links.

Streaming connector virtual network injection (Preview)

Streaming connector virtual network (VNet) injection handles outbound network connections to third-party sources residing in private networks. This includes Apache Kafka, Amazon Kinesis, Google Pub/Sub, Confluent Cloud, MQTT, and database CDC sources like PostgreSQL, MySQL, and SQL Server. Prepare an Azure VNET connected to your data source, and Eventstream injects its streaming connector into that VNet to securely retrieve data.

To learn more, refer to Eventstream streaming connector virtual network and on-premises support overview.

How to choose

Choosing the right feature comes down to a few questions:
  • Is your source within Fabric? If you're using Fabric-native sources like workspace item events, OneLake events, or sample data, the connection is secure by default—with no additional steps.
  • Is your source in a protected network? If the source is publicly accessible, no additional network security feature is required.
  • What direction is the traffic? If external applications push data into Eventstream (inbound), use Private Links. If Eventstream pulls data from external sources (outbound), continue to the next question.
  • Is the source Azure Event Hubs or Azure IoT Hub? If yes, use Managed Private Endpoints. For all other external sources, use Streaming Connector vNet Injection.
Decision_matrix_diagram_for_selecting_the_appropriate_network_security_feature_fDecision_matrix_diagram_for_selecting_the_appropriate_network_security_feature_fFigure: Decision matrix diagram for selecting the appropriate network security feature for EventStream.

For a complete decision matrix and flowchart, refer to Choose the right network security feature for Eventstream.

Eventstream gives you flexible options to bring your data into Fabric securely, whether your sources are inside Fabric, behind a firewall, or in a third-party cloud. By understanding your network traffic direction and source type, you can quickly identify which network security feature fits your needs — and start streaming data with confidence.