Private endpoints for governance solutions in Microsoft Purview
Important
This article covers private endpoints for governance solutions in the Microsoft Purview portal (https://purview.microsoft.com/). If you are using the classic governance portal (https://web.purview.azure.cn), follow the documentation for private endpoints in the classic portal.
You can use private links to secure access to the Microsoft Purview Data Catalog and Data Map, and secure data traffic between Microsoft Purview and your private networks. Azure Private links and Azure Networking private endpoints are used to route traffic across Microsoft's infrastructure, instead of using the internet. To learn more about Azure Private Link in general, see: What is Azure Private Link?
A private endpoint is a single, directional technology that lets clients initiate connections to a given service, but doesn't allow the service to initiate a connection into the customer network. For multitenant services, this model provides link identifiers to prevent access to other customers' resources hosted within the same service. When you use private endpoints, only a limited set of other PaaS resources can be accessed from services using the integration.
You can deploy an ingestion private endpoint if you need to scan Azure IaaS and PaaS data sources inside Azure virtual networks and on-premises data sources through a private connection. This method ensures network isolation for your metadata flowing from the data sources to Microsoft Purview Data Map.
You can deploy a platform private endpoint to allow only client calls to the Microsoft Purview governance portal that originates from within the private network and connect to the Microsoft Purview governance portal using a private network connectivity.
Important
Private endpoints ensure that your organization's user traffic and resources within Azure, follow your organization's configured private link network path, and you can configure Microsoft Purview to deny all request from outside that network path.
However, for external sources private endpoints do not manage all network traffic. You to configure traffic isolation from non-Azure based infrastructure, like on-premises infrastructure, you need to configure ExpressRoute, or virtual private networks, and use integration runtimes to further secure your data sources.
Prerequisites
Before deploying private endpoints for your Microsoft Purview governance resources and the Microsoft Purview portal, ensure you meet the following prerequisites:
- An Azure account with an active subscription. Create an account.
- To configure private endpoints, you need to be a Microsoft Purview admin and have permissions in Azure to create and configure resources like virtual machines (VMs) and virtual networks (VNets).
- Currently, Azure Data Factory, Azure Machine Learning, and Azure Synapse connections aren't supported with the platform private endpoint, and might not work after switching.
Deployment checklist
Following the instructions further in this guide, you can deploy these private endpoints for an existing Microsoft Purview account:
- Choose an appropriate Azure virtual network and a subnet to deploy Microsoft Purview private endpoints. Select one of the following options:
- Deploy a new virtual network in your Azure subscription.
- Locate an existing Azure virtual network and a subnet in your Azure subscription.
- Define an appropriate DNS name resolution method, so you can access Microsoft Purview account and scan data sources using a private network.
- Create a platform private endpoint.
- Enable ingestion private endpoints
- Disable public access for Microsoft Purview.
- Enable access to Microsoft Entra ID if your private network has network security group rules set to deny for all public internet traffic.
- Deploy and register a Self-hosted integration runtime inside the same virtual network or a peered virtual network where Microsoft Purview account and ingestion private endpoints are deployed.
- After completing this guide, adjust DNS configurations if needed.
Create a virtual network
Tip
These instructions will create a basic virtual network. For more information about virtual network options and features, see the virtual network documentation.
The next step is to create a virtual network and subnet. The number of IP address your subnet will need is made up of the number of capacities on your tenant plus three. For example, if you're creating a subnet for a tenant with seven capacities, you'll need 10 IP addresses.
Replace the sample parameters in the following table with your own to create a virtual network and subnet.
Parameter | Value |
---|---|
<resource-group-name> |
myResourceGroup |
<virtual-network-name> |
myVirtualNetwork |
<region-name> |
Central US |
<address-space> |
10.0.0.0/16 |
<subnet-name> |
mySubnet |
<subnet-address-range> |
10.0.0.0/24 |
Open the Azure portal.
Select Create a resource > Networking > Virtual network or search for Virtual network in the search box.
In Create virtual network, enter or select the following information in the Basics tab:
Settings Value Project details Subscription Select your Azure Subscription Resource group Select Create new, enter <resource-group-name>
, then select OK, or select an existing<resource-group-name>
based on parameters.Instance details Name Enter <virtual-network-name>
Select the IP addresses tab and enter the subnet address range.
Select Review + create > Create.
Define a DNS name resolution method
Follow this article to select and deploy a DNS name resolution method that bets fits your organization's needs: Configure DNS Name Resolution for private endpoints.
Create a platform private endpoint
The next step is to create the platform private endpoint for Microsoft Purview.
Open the Azure portal.
Select Create a resource > Networking > Private Link.
In Private Link Center - Overview, under the option to Build a private connection to a service, select Create private endpoint.
In the Create a private endpoint - Basics tab, enter or select the following information:
Settings Value Project details Subscription Select your Azure Subscription Resource group Select myResourceGroup. You created this in the previous section Instance details Name Enter myPrivateEndpoint. If this name is taken, create a unique name. Network Interface Name Filled automatically by the instance name. Region Selected automatically based on your resource group. Once that information is complete, select Next: Resource and in the Create a private endpoint - Resource page, enter or select the following information:
Settings Value Connection method Select connect to an Azure resource in my directory Subscription Select your subscription Resource type Select Microsoft.Purview/accounts Resource Select your Microsoft Purview resource Target subresource Platform Once that information is properly input, select Next: Virtual Network and enter or select the following information:
Settings Value NETWORKING Virtual network Select the virtual network you created earlier. Subnet Select the subnet you created earlier. PRIVATE IP configuration Select Dynamically allocate IP address. Select Next: DNS and enter the following information:
Settings Value Integrate with private DNS zone Select Yes Subscription Select your subscription where your DNS zone is configured. Resource group Select the resource group where your DNS zone is configured. Select Next: Tags and on the tags page you can optionally add any tags your organization is using in Azure.
Select Next: Review + create which displays the Review + create page where Azure validates your configuration. When you see the Validation passed message, select Create.
Enable ingestion private endpoint
Go to the Azure portal, search for and then select your Microsoft Purview account.
From your Microsoft Purview account, under Settings select Networking, and then select Ingestion private endpoint connections.
Under Ingestion private endpoint connections, select + New to create a new ingestion private endpoint.
Fill in the basic information, selecting your existing virtual network and a subnet details. Optionally, select Private DNS integration to use Azure Private DNS Zones. Select correct Azure Private DNS Zones from each list.
Note
You can also use your existing Azure Private DNS zones or create DNS records in your DNS Servers manually. For more information, see Configure DNS Name Resolution for private endpoints
Select Create to finish the setup.
Disable public access for Microsoft Purview
To cut off access to the Microsoft Purview account completely from the public internet, follow these steps. This setting applies to both private endpoint and ingestion private endpoint connections.
From the Azure portal, go to the Microsoft Purview account, and under Settings, select Networking.
Go to the Firewall tab, and ensure that the toggle is set to Disable from all networks.
Enable access to Microsoft Entra ID
Note
If your VM, VPN gateway, or virtual network peering gateway has public internet access, it can access the Microsoft Purview governance portal and the Microsoft Purview account enabled with private endpoints. For this reason, you don't have to follow the rest of the instructions. If your private network has network security group rules set to deny all public internet traffic, you'll need to add some rules to enable Microsoft Entra ID access. Follow the instructions to do so.
These instructions are provided for accessing Microsoft Purview securely from an Azure VM. Similar steps must be followed if you're using VPN or other virtual network peering gateways.
Go to your VM in the Azure portal, and under Settings, select Networking. Then select Outbound port rules > Add outbound port rule.
On the Add outbound security rule pane:
- Under Destination, select Service Tag.
- Under Destination service tag, select AzureActiveDirectory.
- Under Destination port ranges, select *.
- Under Action, select Allow.
- Under Priority, the value should be higher than the rule that denied all internet traffic.
Create the rule.
Follow the same steps to create another rule to allow the AzureResourceManager service tag. If you need to access the Azure portal, you can also add a rule for the AzurePortal service tag.
Connect to the VM and open the browser. Go to the browser console by selecting Ctrl+Shift+J, and switch to the network tab to monitor network requests. Enter web.purview.azure.cn in the URL box, and try to sign in by using your Microsoft Entra credentials. Sign-in will probably fail, and on the Network tab on the console, you can see Microsoft Entra ID trying to access aadcdn.msauth.net but getting blocked.
In this case, open a command prompt on the VM, ping aadcdn.msauth.net, get its IP, and then add an outbound port rule for the IP in the VM's network security rules. Set the Destination to IP Addresses and set Destination IP addresses to the aadcdn IP. Because of Azure Load Balancer and Azure Traffic Manager, the Microsoft Entra Content Delivery Network IP might be dynamic. After you get its IP, it's better to add it into the VM's host file to force the browser to visit that IP to get the Microsoft Entra Content Delivery Network.
After the new rule is created, go back to the VM and try to sign in by using your Microsoft Entra credentials again. If sign-in succeeds, then the Microsoft Purview governance portal is ready to use. But in some cases, Microsoft Entra ID redirects to other domains to sign in based on a customer's account type. For example, for a live.com account, Microsoft Entra ID redirects to live.com to sign in, and then those requests are blocked again. For Microsoft employee accounts, Microsoft Entra ID accesses msft.sts.microsoft.com for sign-in information.
Check the networking requests on the browser Networking tab to see which domain's requests are getting blocked, redo the previous step to get its IP, and add outbound port rules in the network security group to allow requests for that IP. If possible, add the URL and IP to the VM's host file to fix the DNS resolution. If you know the exact sign-in domain's IP ranges, you can also directly add them into networking rules.
Now your Microsoft Entra sign-in should be successful. The Microsoft Purview governance portal will load successfully, but listing all the Microsoft Purview accounts won't work because it can only access a specific Microsoft Purview account. Enter
web.purview.azure.cn/resource/{PurviewAccountName}
to directly visit the Microsoft Purview account that you successfully set up a private endpoint for.
Deploy self-hosted integration runtime (IR) and scan your data sources
Once you deploy ingestion private endpoints for your Microsoft Purview, you need to setup and register at least one self-hosted integration runtime (IR):
All on-premises source types like SAP, and others are currently supported only via self-hosted IR-based scans. The self-hosted IR must run within your private network and then be peered with your virtual network in Azure.
For all Azure source types like Azure Blob Storage and Azure SQL Database, you must explicitly choose to run the scan by using a self-hosted integration runtime that is deployed in the same virtual network or a peered virtual network where Microsoft Purview account and ingestion private endpoints are deployed.
Follow the steps in Create and manage a self-hosted integration runtime to set up a self-hosted IR. Then set up your scan on the Azure source by choosing that self-hosted IR in the Connect via integration runtime dropdown list to ensure network isolation.
Important
Make sure you download and install the latest version of self-hosted integration runtime from Microsoft download center.
Test your private connection
To test your new private endpoints, you can create a virtual machine within your private virtual network and access your platform private endpoint to ensure it's working.
- Create a virtual machine (VM).
- Connect to a VM using Remote Desktop (RDP).
- Access Microsoft Purview privately from the virtual machine.
Create a virtual machine (VM)
The next step is to create a VM.
On the upper-left side of the screen in your Azure portal, select Create a resource > Compute > Virtual Machine.
In the Basics tab, enter or select the following information:
Settings Value Project details Subscription Select your Azure Subscription Resource group Select myResourceGroup which you created in the previous section Instance details VM name Enter myVM Region Select China North 3 Availability options Leave the default No infrastructure redundancy required Image Select Windows 10 Pro Size Leave the default Standard DS1 v2 ADMINISTRATOR ACCOUNT Username Enter a username of your choosing Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements Confirm password Reenter password INBOUND PORT RULES Public inbound ports Leave the default None LICENSING I have an eligible Windows 10/11 license Check the box Select Next: Disks.
In the Disks tab, leave the defaults and select Next: Networking.
In the Networking tab, select the following information:
Settings Value Virtual network Leave the default MyVirtualNetwork Address space Leave the default 10.0.0.0/24 Subnet Leave the default mySubnet (10.0.0.0/24) Public IP Leave the default (new) myVM-ip Public inbound ports Select Allow selected Select inbound ports Select RDP Select Review + create. You're taken to the Review + create page where Azure validates your configuration.
When you see the Validation passed message, select Create.
Connect to a VM using Remote Desktop (RDP)
After you create your VM, called myVM, connect to it from the internet using the following steps:
In the portal's search bar, enter myVM.
Select the Connect button, and choose RDP from the dropdown menu.
Enter an IP address, then select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.
Open the .rdp file to start Remote Desktop Connection, then select Connect.
Enter the username and password you specified when creating the VM in the previous step.
Select OK.
You might receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.
Access Microsoft Purview privately from the VM
The next step is to access Microsoft Purview privately, from the virtual machine you created in the previous step, using the following steps:
In the Remote Desktop of myVM, open PowerShell.
Enter
nslookup <tenant-object-id>-api.purview-service.microsoft.com
.You receive a response similar to the following message:
Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: <tenantid>-api.purview-service.microsoft.com Address: 10.5.0.4
Open the browser and go to https://purview.microsoft.com to access Microsoft Purview privately.
Completion of private endpoint configuration
Once you've followed the steps in the previous sections and the private link is successfully configured, your organization implements private links based on the following configuration selections, whether the selection is set upon initial configuration or later changed.
If Azure Private Link is properly configured and Block public Internet access is enabled:
- Microsoft Purview is only accessible for your organization from private endpoints, and isn't accessible from the public Internet.
- Traffic from the virtual network targeting endpoints and scenarios that support private links are transported through the private link.
- Traffic from the virtual network targeting endpoints and scenarios that don't* support private links will be blocked by the service, and won't work.
- There could be scenarios that don't support private links, which therefore will be blocked at the service when Block public Internet access is enabled.
If Azure Private Link is properly configured and Block public Internet access is disabled:
- Traffic from the public Internet will be allowed by Microsoft Purview services
- Traffic from the virtual network targeting endpoints and scenarios that support private links are transported through the private link.
- Traffic from the virtual network targeting endpoints and scenarios that don't* support private links are transported through the public Internet, and will be allowed by Microsoft Purview services.
- If the virtual network is configured to block public Internet access, scenarios that don't support private links will be blocked by the virtual network, and won't work.'