Use private endpoints for your Microsoft Purview account

Important

This article covers private endpoints for the classic Microsoft Purview governance portal (https://web.purview.azure.cn). If you're using the new Microsoft Purview portal (https://purview.microsoft.com/), follow the documentation for private endpoints in the Microsoft Purview portal.

Conceptual Overview

You can use Azure private endpoints for your Microsoft Purview accounts to allow users on a virtual network (VNet) to securely access the catalog over a Private Link. A private endpoint uses an IP address from the VNet address space for your Microsoft Purview account. Network traffic between the clients on the VNet and the Microsoft Purview account traverses over the VNet and a private link on the Microsoft backbone network.

If you're still using the classic portal experience, you can deploy Microsoft Purview account private endpoint, to allow only client calls to Microsoft Purview that originate from within the private network. To connect to the Microsoft Purview governance portal using a private network connectivity, you can deploy portal private endpoint.

For both the new and classic experience, you can deploy ingestion private endpoints if you need to scan Azure IaaS and PaaS data sources inside Azure virtual networks and on-premises data sources through a private connection. This method ensures network isolation for your metadata flowing from the data sources to Microsoft Purview Data Map.

Screenshot that shows Microsoft Purview with Private Endpoints.

Prerequisites

Before deploying private endpoints for Microsoft Purview account, ensure you meet the following prerequisites:

  1. An Azure account with an active subscription. Create an account for trial.
  2. An existing Azure Virtual network. Deploy a new Azure virtual network if you don't have one.

Microsoft Purview private endpoint deployment scenarios

Use the following recommended checklist to perform deployment of Microsoft Purview account with private endpoints:

Scenario Objectives
Scenario 1 - Connect to your Microsoft Purview and scan data sources privately and securely You need to restrict access to your Microsoft Purview account only via a private endpoint, including access to the Microsoft Purview governance portal, Atlas APIs and scan data sources in on-premises and Azure (but inside a virtual network) using self-hosted integration runtime ensuring end to end network isolation. (Deploy account, _portal, and ingestion private endpoints.)
Scenario 2 - Connect privately and securely to your Microsoft Purview account You need to enable access to your Microsoft Purview account, including access to the Microsoft Purview governance portal and Atlas API through private endpoints. (Deploy account and portal private endpoints).
Scenario 3 - Using the new Microsoft Purview portal If you're using the new portal experience, you can set up ingestion and platform private endpoints.

Frequently Asked Questions

For FAQs related to private endpoint deployments in Microsoft Purview, see FAQ about Microsoft Purview private endpoints.

Troubleshooting guide

For troubleshooting private endpoint configuration for Microsoft Purview accounts, see Troubleshooting private endpoint configuration for Microsoft Purview accounts.

Known limitations

To view list of current limitations related to Microsoft Purview private endpoints, see Microsoft Purview private endpoints known limitations.

Next steps