Reply
ERWeiss
Frequent Visitor

Fabric SQL Analytics Endpoint to Power BI Desktop Security Concerns

I am currently struggling with a Fabric/Power BI implementation. Our security team has concerns over the public connection from the Fabric service to power bi desktop. The organization currently closes the sql port on the network. I have not encountered this limitation in the past and am trying to figure out how to appropriately work around these security measures.

 

I am aware of the private endpoints that are available through Azure; however, what I am hoping to understand better are two things, if we create private endpoints, will that enable access through SQL endpoint even with that port blocked?

 

The second item is to understand what security measures are currently in place between Fabric SQL Endpoint with public internet and desktop Power BI? I believe from a Power BI security whitepaper:

"Data in transit

Power BI requires all incoming HTTP traffic to be encrypted using TLS 1.2 or above. Any requests attempting to use the service with TLS 1.1 or lower will be rejected"

 

We do allow connection via Direct Lake and appear from a security standpoint to be ok with that method, as a non-security individual, I am unsure of the rationale between the two.

 

I have come across the list of items to be aware of when implementing private endpoints,  and the obvious standout is transitioning on prem gateways to vnet; however, If anyone has implemented the private endpoints, is there anything else to be particularly aware of? 

1 ACCEPTED SOLUTION
nilendraFabric
Community Champion
Community Champion

Hello @ERWeiss 

 

Microsoft Fabric’s private endpoints securely route SQL analytics traffic through Azure’s private network backbone, bypassing public internet exposure even with port 1433 blocked.

 

Private endpoints reroute Fabric SQL analytics traffic through Microsoft’s backbone network (not public internet), while still using TCP 1433.
• Port blocking on public networks won’t affect private-link connections since traffic never leaves Azure’s secure infrastructure.
• Requires enabling Block Public Internet Access in Fabric admin settings to enforce private routing

Enable Block Public Internet Access in Fabric admin settings to enforce private routing

 

Validate DNS resolution to private IPs using `nslookup`.
• Confirm NSGs allow outbound port 1433 within the VNet

By configuring private endpoints and internal NSGs correctly, you  can securely use Fabric SQL endpoints while complying with port-blocking policies.

 

 

View solution in original post

4 REPLIES 4
v-vpabbu
Community Support
Community Support

Hi @ERWeiss,

 

Thanks  @nilendraFabric  for Addressing the issue.

 

we would like to follow up to see if the solution provided by the super user resolved your issue. Please let us know if you need any further assistance.
If our super user response resolved your issue, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Regards,
Vinay Pabbu

nilendraFabric
Community Champion
Community Champion

Hello @ERWeiss 

 

Microsoft Fabric’s private endpoints securely route SQL analytics traffic through Azure’s private network backbone, bypassing public internet exposure even with port 1433 blocked.

 

Private endpoints reroute Fabric SQL analytics traffic through Microsoft’s backbone network (not public internet), while still using TCP 1433.
• Port blocking on public networks won’t affect private-link connections since traffic never leaves Azure’s secure infrastructure.
• Requires enabling Block Public Internet Access in Fabric admin settings to enforce private routing

Enable Block Public Internet Access in Fabric admin settings to enforce private routing

 

Validate DNS resolution to private IPs using `nslookup`.
• Confirm NSGs allow outbound port 1433 within the VNet

By configuring private endpoints and internal NSGs correctly, you  can securely use Fabric SQL endpoints while complying with port-blocking policies.

 

 

What impacts does this process have on Power BI Functionality? I believe I saw that it prevents subscriptions?

You are correct.

Enabling private endpoints and blocking public internet access in Power BI introduces several limitations Such as 

 

Email subscriptions are not supported

Exporting reports to PDF, PowerPoint, or Excel is not supported

These are few examples 

 

avatar user

Helpful resources

Announcements
MarchFBCvideo - carousel

Fabric Monthly Update - March 2025

Check out the March 2025 Fabric update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

Top Solution Authors (Last Month)
Top Kudoed Authors (Last Month)