Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
ERWeiss
Frequent Visitor

Fabric SQL Analytics Endpoint to Power BI Desktop Security Concerns

‎03-08-2025 07:58 AM

I am currently struggling with a Fabric/Power BI implementation. Our security team has concerns over the public connection from the Fabric service to power bi desktop. The organization currently closes the sql port on the network. I have not encountered this limitation in the past and am trying to figure out how to appropriately work around these security measures.

 

I am aware of the private endpoints that are available through Azure; however, what I am hoping to understand better are two things, if we create private endpoints, will that enable access through SQL endpoint even with that port blocked?

 

The second item is to understand what security measures are currently in place between Fabric SQL Endpoint with public internet and desktop Power BI? I believe from a Power BI security whitepaper:

"Data in transit

Power BI requires all incoming HTTP traffic to be encrypted using TLS 1.2 or above. Any requests attempting to use the service with TLS 1.1 or lower will be rejected"

 

We do allow connection via Direct Lake and appear from a security standpoint to be ok with that method, as a non-security individual, I am unsure of the rationale between the two.

 

I have come across the list of items to be aware of when implementing private endpoints,  and the obvious standout is transitioning on prem gateways to vnet; however, If anyone has implemented the private endpoints, is there anything else to be particularly aware of? 

Labels:
Message 1 of 5
637 Views
1 ACCEPTED SOLUTION
nilendraFabric
Community Champion
Community Champion

‎03-09-2025 05:35 AM

Hello @ERWeiss 

 

Microsoft Fabric’s private endpoints securely route SQL analytics traffic through Azure’s private network backbone, bypassing public internet exposure even with port 1433 blocked.

 

Private endpoints reroute Fabric SQL analytics traffic through Microsoft’s backbone network (not public internet), while still using TCP 1433.
• Port blocking on public networks won’t affect private-link connections since traffic never leaves Azure’s secure infrastructure.
• Requires enabling Block Public Internet Access in Fabric admin settings to enforce private routing

Enable Block Public Internet Access in Fabric admin settings to enforce private routing

 

Validate DNS resolution to private IPs using `nslookup`.
• Confirm NSGs allow outbound port 1433 within the VNet

By configuring private endpoints and internal NSGs correctly, you  can securely use Fabric SQL endpoints while complying with port-blocking policies.

 

 

View solution in original post

Message 2 of 5
614 Views
4 REPLIES 4
v-vpabbu
Community Support
Community Support

‎03-17-2025 06:05 AM

Hi @ERWeiss,

 

Thanks  @nilendraFabric  for Addressing the issue.

 

we would like to follow up to see if the solution provided by the super user resolved your issue. Please let us know if you need any further assistance.
If our super user response resolved your issue, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Regards,
Vinay Pabbu

Message 5 of 5
483 Views
0
nilendraFabric
Community Champion
Community Champion

‎03-09-2025 05:35 AM

Hello @ERWeiss 

 

Microsoft Fabric’s private endpoints securely route SQL analytics traffic through Azure’s private network backbone, bypassing public internet exposure even with port 1433 blocked.

 

Private endpoints reroute Fabric SQL analytics traffic through Microsoft’s backbone network (not public internet), while still using TCP 1433.
• Port blocking on public networks won’t affect private-link connections since traffic never leaves Azure’s secure infrastructure.
• Requires enabling Block Public Internet Access in Fabric admin settings to enforce private routing

Enable Block Public Internet Access in Fabric admin settings to enforce private routing

 

Validate DNS resolution to private IPs using `nslookup`.
• Confirm NSGs allow outbound port 1433 within the VNet

By configuring private endpoints and internal NSGs correctly, you  can securely use Fabric SQL endpoints while complying with port-blocking policies.

 

 

Message 2 of 5
615 Views
ERWeiss
Frequent Visitor
In response to nilendraFabric

‎03-17-2025 10:09 AM

What impacts does this process have on Power BI Functionality? I believe I saw that it prevents subscriptions?

Message 3 of 5
467 Views
0
nilendraFabric
Community Champion
Community Champion
In response to ERWeiss

‎03-17-2025 03:37 PM

You are correct.

Enabling private endpoints and blocking public internet access in Power BI introduces several limitations Such as 

 

Email subscriptions are not supported

Exporting reports to PDF, PowerPoint, or Excel is not supported

These are few examples 

 

Message 4 of 5
461 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

May FBC25 Carousel

Fabric Monthly Update - May 2025

Check out the May 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All