%3CLINGO-SUB%20id%3D%22lingo-sub-1596909%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20set%20up%20Private%20Link%20with%20high%20throughput%20data%20ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596909%22%20slang%3D%22en-US%22%3E%3CP%3E%22%3CSPAN%3EThis%20configuration%20allows%20the%20SQL%20pool%20backend%20compute%20nodes%20to%20bypass%20the%20storage%20network%20configurations%20using%20the%20system-assigned%20MI.%20This%20allows%20the%20COPY%20statement%20to%20directly%20access%20the%20storage%20account%20for%20high%20through%20data%20ingestion%20over%20the%20Azure%20backbone.%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20specific%20to%20Synapse%20SQL%20Pool%20or%20does%20did%20for%20example%20also%20apply%20to%20ADF%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1596945%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20set%20up%20Private%20Link%20with%20high%20throughput%20data%20ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596945%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20using%20the%20COPY%20statement%20or%20PolyBase%20in%20an%20ADF%20pipeline%2C%20it%20will%20follow%20the%20same%20flow%20when%20authenticating%20using%20MSI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1594440%22%20slang%3D%22en-US%22%3EHow%20to%20set%20up%20Private%20Link%20with%20high%20throughput%20data%20ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594440%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-sql%2Fdatabase%2Fprivate-endpoint-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Synapse%20Analytics%20supports%20Private%20Link%3C%2FA%3E%20enabling%20you%20to%20securely%20connect%20to%20SQL%20pools%20via%20a%20private%20endpoint.%20This%20quick%20how-to%20guide%20provides%20a%20high-level%20overview%20and%20walks%20you%20through%20how%20to%20set%20up%20Private%20Link%20when%20you%E2%80%99re%20using%20the%20COPY%20statement%20for%20high-throughput%20data%20ingestion.%20Using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsql%2Ft-sql%2Fstatements%2Fcopy-into-transact-sql%3Fview%3Dazure-sqldw-latest%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECOPY%20statement%3C%2FA%3E%20is%20a%20best%20practice%20when%20data%20loading%20where%20the%20experience%20is%20simple%2C%20flexible%2C%20and%20fast.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20diagram%20illustrates%20a%20simple%20set-up%20and%20the%20interactions%20happening%20across%20various%20components%20when%20Private%20Link%20is%20enabled%20for%20a%20SQL%20pool%20with%20a%20single%20VM%20within%20a%20VNet%20accessing%20the%20SQL%20endpoint%20(front-end%20control%20node)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Loading%20using%20Private%20Link.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213152i4B85D14094478839%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Loading%20using%20Private%20Link.png%22%20alt%3D%22Loading%20using%20Private%20Link.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20following%20settings%20are%20required%20on%20your%20SQL%20Server%20when%20securing%20your%20SQL%20pool%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDeny%20public%20network%20access%3A%20Yes%3C%2FLI%3E%0A%3CLI%3EAllow%20Azure%20services%20and%20resources%20to%20access%20this%20server%3A%20No%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20Private%20endpoint%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThese%20steps%20can%20all%20be%20easily%20done%20in%20the%20Azure%20portal.%20After%20configuring%20your%20SQL%20Server%2C%20access%20to%20the%20SQL%20pool%20is%20secured%20which%20can%20only%20be%20done%20via%20the%20private%20endpoint%20in%20your%20VNet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20following%20settings%20are%20required%20on%20your%20storage%20account%20that%20you%20are%20loading%20from%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAllow%20access%20from%20Selected%20Networks%3A%20On%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20Private%20endpoint%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20system-assigned%20MI%20in%20your%20AAD%20tenant%20for%20your%20SQL%20Server%20via%20PowerShell%3C%2FLI%3E%0A%3CLI%3EGive%20the%20required%20Storage%20Azure%20role%20(Storage%20%3CSTRONG%3EBlob%20Data%3C%2FSTRONG%3E%20Reader%20or%20higher)%20to%20your%20system-assigned%20MI%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E-ERR%3AREF-NOT-FOUND-Allow%20trusted%20Microsoft%20services%20to%20access%20storage%3A%20Yes%3C%2FSTRONG%3E%3COL%3E%0A%3CLI%3EThis%20configuration%20allows%20the%20SQL%20pool%20backend%20compute%20nodes%20to%20bypass%20the%20storage%20network%20configurations%20using%20the%20system-assigned%20MI%20for%20your%20specific%20SQL%20Server%20resource.%20This%20allows%20the%20COPY%20statement%20to%20directly%20access%20the%20storage%20account%20for%20high%20through%20data%20ingestion%20over%20the%20Azure%20backbone.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EFor%20more%20details%20on%20setting%20up%20your%20storage%20account%20for%20COPY%20access%2C%20you%20can%20visit%20the%20following%20-ERR%3AREF-NOT-FOUND-documentation.%20You%20can%20visit%20the%20following%20links%20to%20learn%20how%20Azure%20Synapse%20provides%20secure%20network%20access%20for%20your%20analytics%20platform%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-sql%2Fdatabase%2Fprivate-endpoint-overview%23data-exfiltration-prevention%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELearn%20more%20about%20Private%20Link%20with%20Azure%20Synapse%20Analytics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsynapse-analytics%2Fsecurity%2Fsynapse-workspace-managed-private-endpoints%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELearn%20about%20managed%20private%20endpoints%20currently%20in%20preview%20for%20Azure%20Synapse%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1594440%22%20slang%3D%22en-US%22%3E%3CP%3EHigh%20throughput%20data%20ingestion%20when%20using%20Azure%20Private%20Link!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Loading%20using%20Private%20Link.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213150i4EE41D7DC7AFABB3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Loading%20using%20Private%20Link.png%22%20alt%3D%22Loading%20using%20Private%20Link.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1594440%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Pipelines%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20SQL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

 

Azure Synapse Analytics supports Private Link enabling you to securely connect to SQL pools via a private endpoint. This quick how-to guide provides a high-level overview and walks you through how to set up Private Link when you’re using the COPY statement for high-throughput data ingestion. Using the COPY statement is a best practice when data loading where the experience is simple, flexible, and fast.

                                                                                     

The following diagram illustrates a simple set-up and the interactions happening across various components when Private Link is enabled for a SQL pool with a single VM within a VNet accessing the SQL endpoint (front-end control node):

 

Loading using Private Link.png

 

 

 

 

 

The following settings are required on your SQL Server when securing your SQL pool:

  1. Deny public network access: Yes
  2. Allow Azure services and resources to access this server: No
  3. Create a Private endpoint

These steps can all be easily done in the Azure portal. After configuring your SQL Server, access to the SQL pool is secured which can only be done via the private endpoint in your VNet.

 

The following settings are required on your storage account that you are loading from:

  1. Allow access from Selected Networks: On
  2. Create a Private endpoint
  3. Create a system-assigned MI in your AAD tenant for your SQL Server via PowerShell
  4. Give the required Storage Azure role (Storage Blob Data Reader or higher) to your system-assigned MI
  5. Allow trusted Microsoft services to access storage: Yes
    1. This configuration allows the SQL pool backend compute nodes to bypass the storage network configurations using the system-assigned MI for your specific SQL Server resource. This allows the COPY statement to directly access the storage account for high through data ingestion over the Azure backbone.

For more details on setting up your storage account for COPY access, you can visit the following documentation. You can visit the following links to learn how Azure Synapse provides secure network access for your analytics platform:

 

6 Comments
Senior Member

"This configuration allows the SQL pool backend compute nodes to bypass the storage network configurations using the system-assigned MI. This allows the COPY statement to directly access the storage account for high through data ingestion over the Azure backbone."

 

Is this specific to Synapse SQL Pool or does did for example also apply to ADF?

Microsoft

If you're using the COPY statement or PolyBase in an ADF pipeline, it will follow the same flow when authenticating using MSI.

Senior Member

Do you have the PowerShell commands for the following statement?

"3. Create a system-assigned MI in your AAD tenant for your SQL Server via PowerShell"

 

I have looked the Az.Synapse 0.1.2
https://www.powershellgallery.com/packages/Az.Synapse/0.1.2


But, I am not sure which command to do what you said here.

Microsoft

Hi James, for more details on setting up your storage account for COPY access, you can visit the following documentation. That link has all the steps in detail.

@kevin_ngo looking forward to an update when this (or something very similar) is supported on Synapse workspaces.

New Contributor

@kevin_ngo, why are you setting Allow Azure services and resources to access this server: No. 

I thought we had to set this to yes so all Azure Services communicate through the Microsoft Backbone.

 

Thanks for letting me know.