cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Data Factory is now a 'Trusted Service' in Azure Storage and Azure Key Vault firewall
By
Abhishek Narain
Published Oct 30 2019 01:25 AM 45.4K Views
Abhishek Narain
Microsoft
‎Oct 30 2019 01:25 AM

Data Factory is now a 'Trusted Service' in Azure Storage and Azure Key Vault firewall

‎Oct 30 2019 01:25 AM

 

There are various scenarios wherein you would need to access data on Azure Storage or secrets from Azure Key Vault from a Data Factory pipeline or your applications. Often there is a security requirement to prevent any unknown sources from accessing the Storage account or the Azure Key Vault service. In such circumstances, you can use the ‘Allow trusted Microsoft services...’ setting in the firewall to enable access to your data from 'Trusted Services' without requiring you to allow connections from all network. For more details on 'Trusted Services', please refer azure storage and azure key vault documentation. 

 

Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 

 

Note: Both Data Movement and Mapping Data flows are also supported as ‘Trusted Services’.  

 

Common data integration security requirements

 

  1. Use the Internet to connect to data stores/ secrets store over TLS
    • Security – secure data using all supported Auth mechanism
    • RecommendationUse Azure IR/ SSIS IR
  2. Use the Internet to connect to data stores/ secrets store over TLS only from known sources using ‘Trusted Services’ firewall exception
    • Security – secure data using MSI Auth + Service Firewall
    • RecommendationUse ‘Allow Trusted Services…’ in Storage/ Key Vault firewall + Azure IR/ Self-hosted IR/ SSIS IR

      clipboard_image_0.png

  3. Use a private network/ virtual network to connect to data stores over TLS
    • Security – secure data using Auth + compute injection/ peering with the private network
    • Recommendation Use Self-hosted IR/ SSIS IR within your Virtual Network/ Private network.

Note: We are actively working on adding the capability to add/ peer an Azure IR inside VNET. 

 

Steps to connect as ‘Trusted Service’

 

  • Connecting to Azure Storage (using Azure blob or Azure Data lake Gen2 linked service)

    1. Grant Data Factory’s Managed identity access to read data in storage’s access control. For more detailed instructions, please refer this.
    2. Create the linked service using Managed identities for Azure resources authentication
    3. Modify the firewall settings in Azure Storage account to select ‘Allow trusted Microsoft Services…’. 
      clipboard_image_1.png

Note: Only Managed Identity authentication is supported when using ‘Trusted Service’ functionality in storage to allow Azure Data Factory to access its data. 

 

  • Connecting to Azure Key Vault (using Azure Key Vault linked service) 

    1. Create linked service with managed identity authentication and grant appropriate permissions in Azure Key Vault Access Policies as mentioned in the article.
    2. Modify the firewall settings in the Azure Key Vault to select ‘Allow Trusted Microsoft Services…’

clipboard_image_2.png

 

Next Steps

See the following related articles for more details:

 

9 Comments
Shafiul_Alam
Copper Contributor
‎Nov 07 2019 01:36 PM
‎Nov 07 2019 01:36 PM

Hi,

 

Thanks for post. So, this option only works to connect to Azure Blob storage. Still getting "Access denied" error while trying to connect to Azure file share.

So, this option will not to connect to Azure file share. Please correct me if I am wrong.

0 Likes
Like
Marco_Fischer_inovex
Copper Contributor
‎Nov 14 2019 07:22 AM
‎Nov 14 2019 07:22 AM
Hi, this is a great feature in addition to the private endpoints and selected networks capabilities of Azure Storage / ADLS Gen2! Unfortunately it even does not work yet for me on ADF V2 connecting to ADLS with the option "Selected networks". We enabled "trusted services" but we still get connection errors. Our resources are in the regions West Europe and North Europe. Can you please check the DFS protocol again? Thanks.
0 Likes
Like
Abhishek Narain
Microsoft
‎Nov 19 2019 06:51 PM
‎Nov 19 2019 06:51 PM

@Shafiul_Alam It does not apply to Azure File Share. It works only with Blob and BlobFS (ADLSGen2). 

Abhishek Narain
Microsoft
‎Nov 20 2019 11:18 PM
‎Nov 20 2019 11:18 PM

@Marco_Fischer_inovex I did verify it and it works in West Europe. Please make sure you are using MSI/ Managed Identity authentication in the linked service. 

0 Likes
Like
Inactivated
Copper Contributor
‎Jan 27 2020 01:50 PM
‎Jan 27 2020 01:50 PM

@Abhishek Narain - Any news on when you will be adding support for accessing Azure Files?

0 Likes
Like
Neil_Xu
Copper Contributor
‎Mar 03 2020 12:33 PM
‎Mar 03 2020 12:33 PM

Try in the last two days, when firewall is enabled with "allow trusted services", test connection fails in datafactory v2. 

Storage account and datafactory v2 are both in Australia east region. Could you please update us on this ? thanks

0 Likes
Like
Shafiul_Alam
Copper Contributor
‎Mar 04 2020 11:22 AM
‎Mar 04 2020 11:22 AM

 

@Inactivated  and 
@Neil_Xu 
 
 
 
 
 
 
 
 , please check this https://feedback.azure.com/forums/270578-data-factory/suggestions/20565967-static-ip-ranges-for-data...
 
 

 

0 Likes
Like
kks85
Copper Contributor
‎Jul 03 2020 01:56 AM
‎Jul 03 2020 01:56 AM

Hi @Abhishek Narain ,

I was unable to connect to blob storage as well as adls2 with private end points and both has allow trusted ms services. I made a successful connection from adf to sql database(private endpoint) using self hosted ir ,however i was unable to connect to storage blob or adls. Could you please help me on this issue please. I tried authentication type account key as well as managed identity,however the connection is failing. I have a contributor role at subscription level.

 

Thank You

 

 

0 Likes
Like
jikuja
Brass Contributor
‎Feb 18 2024 12:58 PM
‎Feb 18 2024 12:58 PM

FYI: This is now outdated in the scope of SHIR!

 

>> Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 

 

Not true. At least Key vault does not consider Self-Hosted IR being trusted service anymore. Not sure about about storage account.

 

This blog post should be updated and/or proper documentation page written. E.g. https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-se... links here.

 

I just opened documentation issue for key vault trusted service: https://github.com/MicrosoftDocs/azure-docs/issues/119969

 

@Abhishek Narain Is " Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. " still true for SHIR and storage account?

0 Likes
Like
Version history
Last update:
‎May 31 2020 09:00 PM
Updated by: