Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

jensheerin
Microsoft Employee
‎05-23-2025 09:00 AM

Setting Up Microsoft Fabric Notebook Connection to Azure PostgreSQL via Managed Private Endpoint

Introduction

 

In today's digital landscape, securing connections between services is more important than ever. This article will guide you through the process of connecting Microsoft Fabric Notebook to an Azure Database for PostgreSQL using Managed Private Endpoints (MPE). By following these steps, you can ensure that all outbound traffic remains on the private network, enhancing security. Whether you're an admin with Fabric workspace access or have sufficient rights in Azure, this comprehensive guide will provide you with the necessary prerequisites and step-by-step instructions to achieve a secure connection. Dive in to learn how to set up, approve, and validate your private endpoint, ensuring your Fabric environment can securely communicate with the Azure PostgreSQL database without exposing it to the public internet.

 

Scenario

 

Connect a Microsoft Fabric Notebook to an Azure Database for PostgreSQL securely using a Managed Private Endpoint (MPE). This ensures outbound traffic stays on the private network.

 

Prerequisites

 

Before you begin, ensure you have the following:

  1. Microsoft Fabric Workspace Admin Access: You need admin permissions on the Fabric workspace (only workspace admins can create managed private endpoints).
  2. Azure Subscription Access: Ensure you have sufficient rights in Azure (Owner/Contributor on the subscription containing the PostgreSQL server) to register resource providers and approve private endpoint connections.
  3. Azure Resource Provider Registered: The Microsoft.Network resource provider must be registered in your Azure subscription.
  4. Azure Virtual Network: An Azure Virtual Network must exist in the subscription. If not, create a new virtual network.
  5. Azure PostgreSQL Server:An Azure Database for PostgreSQL that you want to connect to.

 

Step-by-Step Guide

 

Register the Microsoft.Network provider (if not done): In the Azure Portal, go to your Subscription settings. Under Resource Providers, find Microsoft.Network and click Register. (This only needs to be done once per subscription; it will take a few minutes).

Picture2.png

 

Copy Resource ID: Open your Azure PostgreSQL server’s Properties page in the portal and copy the full Resource ID. The Resource ID looks like:

/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DBforPostgreSQL/flexibleServers/{server-name}

.

Create a Managed Private Endpoint in Fabric:

  • Sign in to the Microsoft Fabric portal and navigate to your workspace (the one where you want the connection).
  • Go to Workspace Settings > Network security > Managed Private Endpoints > Create.

network-security-tab.png

 

  • Provide a name for the endpoint (friendly name for your reference)
  • Paste the Resource ID of your Azure PostgreSQL server into the dialog. (Note: using a fully qualified domain name instead of the Resource ID is not supported.)
  • Verify that the new endpoint appears in the workspace’s Managed Private Endpoints list with an initial status Pending or Provisioning. The Fabric service will now initiate the private link setup.

Picture4.png

 

Approve the Private Endpoint in Azure:

  • In the Azure portal, open your PostgreSQL server and go to Networking.
  • You should see a Pending private endpoint connection request (sent from the Fabric workspace). Select this pending connection.
  • Click on Approve to approve the private endpoint connection. You may add a description (justification) if prompted, then confirm approval. For more details refer to Approve private endpoint connections in Azure PostgreSQL

Picture4.png

 

  • Wait for the status to change to Approved.

Confirm the Endpoint is Active in Fabric: Return to the Fabric workspace settings and refresh the Managed Private Endpoints section. The status for your endpoint should update to Approved/Succeeded once the Azure side is approved. This means the private link is established. The Fabric environment can now privately access the PostgreSQL server.

 

Connect to the PostgreSQL Database from Fabric Notebook:

With the managed private endpoint in place, you can connect to the database from Fabric experiences (e.g. Spark notebooks or Dataflows) securely:

  • When configuring a connection in a Fabric Notebook use the server name of your PostgreSQL 
    <server-name>.postgres.database.azure.com
    and its database name, along with the required credentials (username/password). Use the standard PostgreSQL JDBC connection string or connector settings, but no special VPN is needed – the traffic will route through the private endpoint.
  • For example, in a Fabric Spark notebook you might build a JDBC URL such as
    jdbc:postgresql://<server-name>.postgres.database.azure.com:5432/<database>
    and provide your user credentials. Fabric will utilize the managed private endpoint to reach the server securely.
  • Tip: Ensure the credentials you use have proper permissions on the database, and that your PostgreSQL server’s firewall or network settings do not block the Fabric IP (this is handled by Private Link if set up correctly).
serverName = "<server_name>.database.windows.net"
database = "<database_name>"
dbPort = 5432
dbUserName = "<username>"
dbPassword = "<db password> or reference based on Keyvault>”

from pyspark.sql import SparkSession

spark = SparkSession.builder \
    .appName("ExamplePostgres") \
    .config("spark.jars.packages", "org.postgresql:postgresql:42.2.18") \
    .getOrCreate()

# Construct JDBC URL for PostgreSQL
jdbcURL = f"jdbc:postgresql://{serverName}:{dbPort}/{database}"

# Connection properties
connection = {
    "user": dbUserName,
    "password": dbPassword,
    "driver": "org.postgresql.Driver"
}

# Read data from PostgreSQL table
df = spark.read.jdbc(url=jdbcURL, table="person.Contact", properties=connection)

df.show()
display(df)

# Write the dataframe as a delta table in your lakehouse
df.write.mode("overwrite").format("delta").saveAsTable("Contact")

Finally, run a small query or operation from Fabric to the database (for instance, list tables or fetch a few rows) to confirm that the connection is working. The data transfer should be successful privately. If there are issues, double-check that the private endpoint shows as Connected/Approved on both sides and that no firewall or DNS issues exist.

 

Conclusion

 

By following this step-by-step guide, you can securely connect Microsoft Fabric Notebook to an Azure Database for PostgreSQL using Managed Private Endpoints. This setup ensures that all outbound traffic remains on the private network, providing enhanced security and performance. Each step is based on Microsoft’s official guidelines for Managed Private Endpoints in Microsoft Fabric and Azure PostgreSQL documentation. Following this checklist will ensure your Fabric environment can securely communicate with the Azure PostgreSQL database over a private link without exposing the database to the public internet.

 

Note: Fabric inbound traffic protection needs consideration as there are some restrictions that may not be intended. Review About private Links for secure access to Fabric - Microsoft Fabric | Microsoft Learn to understand the configuration and the experiences. If you choose to use the private link follow Set up and use private links for secure access to Fabric - Microsoft Fabric | Microsoft Learn

 

Contributors

Taisha Ferguson Sr Cloud Solution Architect @taferguson 

Jen Sheerin Sr Cloud Solution Architect @jensheerin 

Labels: