Sentinel datalake: private link/private endpoint

Hi munterweger​ 

You can run Sentinel in a private-only network posture for data ingestion which can use private endpoint for Log Analytics Workspace or Data Collection Endpoints (DCE).

However Sentinel Data Lake itself is fully managed which means you cannot create a Private Endpoint directly to the Sentinel Data Lake. There is no Private Link configuration step in the Data Lake on-boarding wizard or any such guide.

Data access happens between services, thus data can be accessed either at Microsoft Defender XDR or Sentinel portal. You can integrate with Datalake workspace at sentinel XDR.

Regards, Prash

If you find the answer useful, please do not forget to like and mark it as a solution

Hey munterweger​ 

Short answer: there's no documented private endpoint configuration path specific to the Sentinel data lake, and you're not missing something obvious.

What the data lake actually is under the hood

The Sentinel data lake is fully managed. You don't deploy or maintain the data infrastructure yourself. Microsoft owns the underlying storage layer. That's the core issue with private endpoint questions: you can't attach a private endpoint to something you don't provision in your own subscription.

What you can control for network isolation

The private link story for Sentinel still lives at the Log Analytics workspace and Azure Monitor layer, not the data lake tier directly. Private link in Azure Monitor is a network restriction mechanism that forces traffic to flow only through private connections from a VNet to an Azure Monitor resource. On the workspace level, there's an on/off setting to control whether to accept data ingestion not originating from a private link scope, and a separate setting to control whether to accept log queries not originating from private link scope. 

So if your requirement is private ingestion, you configure AMPLS (Azure Monitor Private Link Scope) on your Log Analytics workspace and DCEs. Data flowing into the analytics tier stays on-network. The data lake tier mirrors that data automatically.

The gap you're hitting

The Sentinel data lake supports RBAC, encryption-at-rest, and network isolation, but Microsoft's docs don't specify what "network isolation" means at the data lake tier specifically, and there's no wizard step or post-activation configuration in the Defender portal for private endpoints on the lake component itself. That documentation doesn't exist yet, and no community practitioner has published a working configuration for it.

Practical path forward

1. Open a Microsoft support ticket and ask explicitly whether the data lake tier supports private endpoint attachment, and if not, what the roadmap looks like.
2. If your requirement is private ingestion from on-prem or a VNet, configure AMPLS + DCE on your Log Analytics workspace. That covers the analytics tier, and the data lake mirrors from there.
3. If you need network isolation for querying the data lake tier specifically, that's the open question. Flag it to your Microsoft account team.

This is worth posting back here once you get a definitive answer from Microsoft. Several people are hitting the same wall.

Please mark as solution if you find this helpful. It helps others in the community find the solution quickly.