Blog Post

Azure Data Factory Blog
2 MIN READ

Data Factory is now a 'Trusted Service' in Azure Storage and Azure Key Vault firewall

Abhishek Narain's avatar
Oct 30, 2019

 

There are various scenarios wherein you would need to access data on Azure Storage or secrets from Azure Key Vault from a Data Factory pipeline or your applications. Often there is a security requirement to prevent any unknown sources from accessing the Storage account or the Azure Key Vault service. In such circumstances, you can use the ‘Allow trusted Microsoft services...’ setting in the firewall to enable access to your data from 'Trusted Services' without requiring you to allow connections from all network. For more details on 'Trusted Services', please refer azure storage and azure key vault documentation. 

 

Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 

 

Note: Both Data Movement and Mapping Data flows are also supported as ‘Trusted Services’.  

 

Common data integration security requirements

 

  1. Use the Internet to connect to data stores/ secrets store over TLS
    • Security – secure data using all supported Auth mechanism
    • RecommendationUse Azure IR/ SSIS IR
  2. Use the Internet to connect to data stores/ secrets store over TLS only from known sources using ‘Trusted Services’ firewall exception
    • Security – secure data using MSI Auth + Service Firewall
    • RecommendationUse ‘Allow Trusted Services…’ in Storage/ Key Vault firewall + Azure IR/ Self-hosted IR/ SSIS IR



  3. Use a private network/ virtual network to connect to data stores over TLS
    • Security – secure data using Auth + compute injection/ peering with the private network
    • Recommendation Use Self-hosted IR/ SSIS IR within your Virtual Network/ Private network.

Note: We are actively working on adding the capability to add/ peer an Azure IR inside VNET. 

 

Steps to connect as ‘Trusted Service’

 

  • Connecting to Azure Storage (using Azure blob or Azure Data lake Gen2 linked service)

    1. Grant Data Factory’s Managed identity access to read data in storage’s access control. For more detailed instructions, please refer this.
    2. Create the linked service using Managed identities for Azure resources authentication
    3. Modify the firewall settings in Azure Storage account to select ‘Allow trusted Microsoft Services…’. 

Note: Only Managed Identity authentication is supported when using ‘Trusted Service’ functionality in storage to allow Azure Data Factory to access its data. 

 

  • Connecting to Azure Key Vault (using Azure Key Vault linked service) 

    1. Create linked service with managed identity authentication and grant appropriate permissions in Azure Key Vault Access Policies as mentioned in the article.
    2. Modify the firewall settings in the Azure Key Vault to select ‘Allow Trusted Microsoft Services…’

 

Next Steps

See the following related articles for more details:

 

Updated Jun 01, 2020
Version 4.0
  • Shafiul_Alam's avatar
    Shafiul_Alam
    Copper Contributor

    Hi,

     

    Thanks for post. So, this option only works to connect to Azure Blob storage. Still getting "Access denied" error while trying to connect to Azure file share.

    So, this option will not to connect to Azure file share. Please correct me if I am wrong.

  • Hi, this is a great feature in addition to the private endpoints and selected networks capabilities of Azure Storage / ADLS Gen2! Unfortunately it even does not work yet for me on ADF V2 connecting to ADLS with the option "Selected networks". We enabled "trusted services" but we still get connection errors. Our resources are in the regions West Europe and North Europe. Can you please check the DFS protocol again? Thanks.
  • Neil_Xu's avatar
    Neil_Xu
    Copper Contributor

    Try in the last two days, when firewall is enabled with "allow trusted services", test connection fails in datafactory v2. 

    Storage account and datafactory v2 are both in Australia east region. Could you please update us on this ? thanks

  • kks85's avatar
    kks85
    Copper Contributor

    Hi Abhishek Narain ,

    I was unable to connect to blob storage as well as adls2 with private end points and both has allow trusted ms services. I made a successful connection from adf to sql database(private endpoint) using self hosted ir ,however i was unable to connect to storage blob or adls. Could you please help me on this issue please. I tried authentication type account key as well as managed identity,however the connection is failing. I have a contributor role at subscription level.

     

    Thank You

     

     

  • jikuja's avatar
    jikuja
    Brass Contributor

    FYI: This is now outdated in the scope of SHIR!

     

    >> Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 

     

    Not true. At least Key vault does not consider Self-Hosted IR being trusted service anymore. Not sure about about storage account.

     

    This blog post should be updated and/or proper documentation page written. E.g. https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services links here.

     

    I just opened documentation issue for key vault trusted service: https://github.com/MicrosoftDocs/azure-docs/issues/119969

     

    Abhishek Narain Is " Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. " still true for SHIR and storage account?