Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
PalakVora
Microsoft Employee
Microsoft Employee

Alternative to Fabric Private Link

Wednesday

Scenario: We have "publish to web" feature enabled in Power BI within Fabric Tenant that doesnt support azure private. The next option is CAP. But if, we are connecting SHIR(ADF) and Azure Integration runtime to Fabric for data ingestion and it seems we cannot have conditional access policy and have control over both these connections.

 

Question 1: Is that correct? If we cant use CAP, what other measures we have, if we need to use public endpoint in Fabric to secure the connection.

Question 2: Can we have different workspaces? One workspace will communicate with ingestion zone using private link and we share the data with other workspace, from which Power BI pulls data and publishes to web.

 

Any help, support or advice is appreciated.

Labels:
Message 1 of 3
105 Views
0
2 REPLIES 2
v-kpoloju-msft
Community Support
Community Support

Wednesday

Hi @PalakVora,

Thank you for reaching out to the Microsoft Fabric Community Forum.

 

Thank you for raising your concern. We really apologize for the inconvenience caused. After reviewing the details you provided, please follow the steps below, which might resolve the issue.

 

Solution-1:

Yes, that is correct. When using SHIR Self-hosted Integration Runtime and azure integration runtime for data ingestion into Fabric, it is not possible to enforce conditional access policies directly on these connections. This occurs because these runtimes operate outside the Azure AD conditional access policy framework.

 

If you need to use a public endpoint in Fabric, here are some measures to secure the connection:

  • Apply NSG to restrict inbound and outbound traffic to specific ip ranges. Configure private endpoints to securely access Fabric services from within your virtual network. This setup ensures that traffic between your network and Fabric services remains private.
  • Enable service endpoints to secure traffic between your virtual network and fabric services. Configure firewall rules to allow only specific ip addresses to access fabric services. Implement additional security layers like WAF web application firewall and DDoS protection.

 

Solution-2:
Yes, you can set up different workspaces to achieve this. Here is a detailed solution:

  • Workspace 1 (Ingestion Zone): Configure a private link to securely connect this workspace to the ingestion zone. Utilize SHIR or Azure Integration runtime for data ingestion into this workspace. Ensure that access to this workspace is restricted and only available through the private link.
  • Workspace 2 (Data Sharing and Power BI): Share the ingested data from workspace 1 to Workspace 2 using Fabric's data sharing capabilities. Configure workspace 2 to pull data from Workspace 1. Enable the publish to web feature in power bi within workspace 2 to allow public access to the reports.

By setting up these workspaces, you can ensure a secure ingestion process while still allowing public access to the power bi reports.

 

Also, please go through the following links for better understanding:

About private Links for secure access to Fabric - Microsoft Fabric | Microsoft Learn

Set up and use private links for secure access to Fabric - Microsoft Fabric | Microsoft Learn

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

Best Regards.

Message 2 of 3
70 Views
PalakVora
Microsoft Employee
Microsoft Employee
In response to v-kpoloju-msft

Wednesday

Hi @v-kpoloju-msft , thank you for your response. Is there any document that could help me with NSG in Fabric? Upon my research I had concluded that Fabric doesn't support NSG as it wasn't highlighted in Fabric Network security document. Furthermore, it did not list IP whitelisting as well to control the inbound traffic. Only allow.list which works on the service using Fabric and not Fabric itself. 

 

Note; The documents shared are private link documents which I cannot implement due to restrictions with "publish to web" feature in powerbi.

 

Looking forward to your response.

Thank you.

Message 3 of 3
66 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

JanFabricDE_carousel

Fabric Monthly Update - January 2025

Explore the power of Python Notebooks in Fabric!

JanFabricDW_carousel

Fabric Monthly Update - January 2025

Unlock the latest Fabric Data Warehouse upgrades!

View All