Securing outbound traffic with Azure Data Factory's outbound network rules
Published Jun 12 2023 12:00 PM 8,329 Views
Microsoft

Data security is paramount in today's digital world. With an increasing number of cyber threats, organizations are always on the lookout for robust solutions to enhance their security posture. In this blog, we delve into a critical feature provided by Azure Data Factory – Outbound Rules – that allows users to control and restrict outbound traffic to specific Fully Qualified Domain Names (FQDN).

 

Understanding Outbound Allow listing in Azure Data Factory

Outbound allow listing of FQDN is a network security practice that allows organizations to control outbound traffic from their networks to specific, approved domain names. Outbound rules in Azure Data Factory apply to pipeline activities, such as Copy, Dataflows, Web, Webhook, and Azure Function activities and authoring scenarios like data preview and test connection.

 

Note:

  • This feature is in Preview.
  • SSIS Integration runtime and Managed Airflow Integration runtime currently do not support the outbound rules.
  • This feature is independent of Managed VNet and applies to all supported activities running on SHIR, Azure IR (including AutoResolve IR), and Azure IR in Managed VNet. However, we suggest using Managed VNet for higher levels of compute isolation in conjunction with outbound allowlist capability to prevent data exfiltration.

 

These rules help organizations create a secure and exfiltration-proof data integration solution. What's more, Azure Policy enforces these rules, thereby boosting governance.

As it uses Azure Policy, these outbound rules can be enforced at different management levels based on the organization’s needs.

  • Management Group
  • Subscription
  • Resource Group
  • Resource (UI within Data Factory for this assignment is coming soon, but you can use REST API/ SDK to achieve this today)

Note: While in preview, the compliance for this policy is not reported

 

Steps to enable Azure Policy for outbound rules

  1. Assign the outbound Policy with the desired scope.

AbhishekNarain_0-1686335992463.png

 

  1. Configure the parameters of the policy specifying the allowed domain names. Create the policy.
    Note: Regex is not supported hence the domains should exactly be the same as used in the linked services. To update the outbound url list, please update the policy parameter.

AbhishekNarain_1-1686335992465.png

 

  1. Enable the feature in ADF studio.
    AbhishekNarain_2-1686335992476.png

 

The Outbound Rules feature in Azure Data Factory allows organizations to exercise granular control over outbound traffic, thereby strengthening network security during data integration. By integrating with Azure Policy, this feature also improves overall governance.

 

Resources:

If you have any questions or feedback, please post them in the comments below. 

 

9 Comments
Co-Authors
Version history
Last update:
‎Jun 12 2023 10:45 AM
Updated by: