As enterprises adopt OneLake as their unified data lake for analytics, securing how external services access data in OneLake becomes increasingly important—especially in environments where public internet access must be tightly controlled.

Today, we’re introducing resource instance rules for OneLake in preview. This new capability allows workspace admins to explicitly allow inbound access from trusted Azure resource instances, without relying on IP allowlists or requiring private networking in every scenario.

Resource instance rules provide a resource‑identity-based inbound access model for OneLake, designed specifically for secure service‑to‑service access from trusted Azure resource instances.

What are resource instance rules?

Resource instance rules allow a Fabric workspace admin to define an allowlist of trusted Azure resource instances that are permitted to access the workspace’s OneLake data. Access over public endpoint is allowed only for requests originating from approved Azure resource identities.

Resource Instance Rules can coexist with Private Link and IP firewall rules, allowing customers to combine identity‑based and network‑based controls based on their architecture.

The_image_depicts_a_configuration_interface_in_Workspace_settings_offering_optio

Figure: Workspace settings to add trusted resource instances.

Why Resource Instance Rules for OneLake?

OneLake already integrates with Fabric’s robust security capabilities, including Private Link, IP firewall rules, and identity‑based access controls. However, customers integrating Azure services with OneLake often encounter challenges such as dynamic or unknown outbound IP addresses from managed Azure services, the operational complexity of maintaining IP‑based allowlists, and scenarios where private connectivity is not practical for every service.

Resource Instance Rules address these challenges by allowing access to OneLake to be restricted based on Azure resource identity, rather than network location.

With resource instance rules, customers can block public access to OneLake while still enabling access from explicitly trusted Azure resource instances, with controls enforced at the network layer before data permissions are evaluated. This results in a more precise and manageable security model for OneLake access.

How to get started with resource instance rules

Tenant admin must enable Configure workspace-level IP firewall rules and trusted resource instances in the Fabric admin portal.

As a Fabric workspace admin

1. Navigate to Workspace Settings in the target workspace and select Allow Connections from Selected Networks and Workspace Private Links.
2. Select Edit under Allow Inbound trusted resources (Preview).
3. Add one or more Azure resource instance ARM IDs as trusted resources and save.

When a request attempts to access OneLake over a public endpoint, it validates the calling resource’s identity against the configured allowlist and allows or blocks the request accordingly.

Try resource instance rules for OneLake today

Resource instance rules give you a new way to secure OneLake by trusting Azure resource identities instead of network locations, making it easier to integrate managed Azure services while keeping public access locked down. By combining resource instance rules with existing protections like Private Link and IP firewall rules, you can apply the right level of network security for each OneLake scenario.

If you’re looking to enable secure service‑to‑service access to OneLake while maintaining strong network controls, we encourage you to try resource instance rules and share your feedback.

Refer to Resource Instance rules for Inbound access to learn more.