Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

saravi
‎10-22-2025 10:00 AM

Securely Accessing External and On-Premises Data Sources with Fabric Data Engineering Workloads

Managed Private Endpoints support for connecting to Private Link Services is now available in Microsoft Fabric (Public REST APIs). This has been one of the top requests from our customers and the community: the ability to securely connect Fabric Spark compute to on-premises and network-isolated data sources using the option to allowlist Fully Qualified Domain Names through a Private Link Service.

Capabilities

Bring your most critical, secured datasets into Fabric for advanced analytics—while maintaining full compliance with enterprise security standards.

  • Establish Managed Private Endpoints directly from your Fabric workspace.
  • Access on-premises or restricted data sources securely, without exposing them to the public internet.
  • Leverage the native Fabric Spark engine for high-performance, large-scale processing on that data.

Securely_Accessing_External_and_On-Premises_Data_Sources_with_Fabric_Data_EngineSecurely_Accessing_External_and_On-Premises_Data_Sources_with_Fabric_Data_Engine

How This Unblocks On-Prem Connectivity

Connecting Fabric workloads to on-premises systems hasn’t always been straightforward—Managed Private Endpoints make it simple. They provide secure, private connectivity that eliminates complexity and ensures compliance with enterprise security standards. This offers a governed bridge from Fabric Spark to your on-premises data—without additional gateways, VPNs, or exposing resources publicly.

  • Private, secure connection: Instead of relying on public internet access, Fabric uses a managed private endpoint that links your workspace to the on-premises or restricted network resource.
  • Admin approval for governance: The private endpoint request must be explicitly approved by the administrator of the target private link resource. This ensures connections are only established with full visibility and control, strengthening enterprise security and governance.
  • Domain-level mapping with FQDNs: With targetFQDNs, you can explicitly see which fully qualified domain names the Spark engine is allowed to connect to, eliminating ambiguity and reducing risk.
  • Native Spark integration: Once the private link service is connected through the managed private endpoint and its FQDNs, Spark clusters provisioned within the Fabric-managed VNet can securely access the on-premises data source for processing with the native engine.

Connecting to an Existing On-Premises Data Source (Example: SQL Server)

If you already have an on-premises SQL Server that you want Fabric Data Engineering workloads to connect to, here’s what you need to do at a high level. These steps apply not just to SQL Server, but to any supported on-premises or network-isolated data source.

  1. Identify the target resource: Get the resource ID of your Private Link Service
  2. Define the endpoint in Fabric: Use the Managed Private Endpoint APIs to create a connection from your Fabric workspace to this SQL Server.
  3. Add the FQDNs: Add the Fully Qualified Domain Names defined as part of your Private Link Service network configurations to the managed private endpoint create request
  4. Approve the connection: Your network or resource admin must approve the private endpoint request, ensuring security and compliance.
  5. Verify allowed domains (targetFQDNs): Confirm which fully qualified domain names (e.g., sqlserver1.contoso.net) are associated with this connection.
  6. Access the data with Spark: Once approved, Fabric Spark compute can securely connect to the SQL Server and start processing your data.

Public REST API Support (Preview)

This release is now available through the Fabric Public REST APIs, enabling you to:

  • Create a managed private endpoint pointing to your target resource.
  • List targetFQDNs associated with the endpoint, giving full visibility into the domains being secured.

Example: Create a Managed Private Endpoint

POST https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/managedPrivateEndpoints


{
  "name": "testprivatendpoint1",
  "targetPrivateLinkResourceId": "/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Sql/servers/testsql1",
  "targetSubresourceType": "sqlServer",
  "requestMessage": "Request message to approve private endpoint"
}

Sample response:

{
  "id": "59a92b06-6e5a-468c-b748-e28c8ff28da3",
  "name": "SqlPE",
  "targetPrivateLinkResourceId": "/subscriptions/e3bf3f1a-4d64-4e42-85e9-aa1b84e3874/resourceGroups/testRG/providers/Microsoft.SqlServer/SqlServer/sql1",
  "provisioningState": "Provisioning",
  "targetSubresourceType": "sqlServer"
}

Example: List Target FQDNs

GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/managedPrivateEndpoints/{managedPrivateEndpointId}/targetFQDNs

Sample response:

{
  "value": [
    "database1.cloudprovider.net",
    "database2.cloudprovider.net"
  ]
}

Learn More

To get started, check out the Microsoft Learn documentation:
Set up a private link service for Fabric managed private endpoints

For complete request/response details, limitations, and additional examples, please refer to the Managed Private Endpoints API documentation.

0