Earlier this week, we released a feature in Purview to use private endpoints for your accounts. Implementing this feature can unlock the following for you:
1. You can use private endpoints to allow clients and users on a virtual network (VNet) to securely access the Purview Data Catalog over a Private Link.
2. The private endpoint uses an IP address from the VNet address space for your Azure Purview account.
3. Network traffic between the clients on the VNet and the Purview account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
4. You can also ensure network isolation for your metadata flowing from the source which is being scanned to the Purview Data Map using ingestion Private endpoints.
Now let's get started. Below is some helpful guidance to set this up within your own environment.
Creating a new Azure Purview account with Private Endpoints for the account & portal
Navigate to theAzure portaland then to your Purview account.
Fill basic information, and set connectivity method to Private endpoint inNetworkingtab. Set up your ingestion private endpoints by providing details ofSubscription, Vnet and Subnetthat you want to pair with your private endpoint.
Create an ingestion private endpoint only if you intend to enable network isolation for end-to-end scan scenarios, for both your Azure and on-premises sources. We currently do not support ingestion private endpoints working with your AWS sources.
You can also optionally choose to set up aPrivate DNS zonefor each ingestion private endpoint.
Click Add to add a private endpoint for your Purview account.
In the Create private endpoint page, set Purview sub-resource toaccount, choose your virtual network and subnet, and select the Private DNS Zone where the DNS will be registered (you can also utilize your own DNS servers or create DNS records using host files on your virtual machines).
Create a private endpoint for the Azure Purview studio
Navigate to the Purview account you just created, select the Private endpoint connections under the Settings section.
Click +Private endpoint to create a new private endpoint.
Fill in basic information.
In Resource tab, select Resource type to beMicrosoft.Purview/accounts.
Select the Resource to be the newly created Purview account and select target sub-resource to beportal.
Select the virtual network and Private DNS Zone in the Configuration tab. Navigate to the summary page, and clickCreateto create the portal private endpoint.
Ingestion private endpoints and scanning sources in private networks, virtual networks and behind private endpoints
If you want to ensure network isolation for your metadata flowing from the source which is being scanned to the Purview Data Map, then you must follow these steps:
Enable aningestion private endpointby following steps inthissection of the documentation.
Scan the source using aself-hosted IR.
All on-premises source types like SQL server, Oracle, SAP and others are currently supported only via self-hosted IR based scans. The self-hosted IR must run within your private network and then be peered with your Vnet in Azure. Your Azure vnet must then be enabled on your ingestion private endpoint by following stepshere.
For allAzuresource types like Azure blob storage, Azure SQL Database and others, you must explicitly choose running the scan using self-hosted IR to ensure network isolation. Follow stepshereto set up a self-hosted IR. Then set up your scan on the Azure source by choosing that self-hosted IR in theconnect via integration runtimedropdown to ensure network isolation.
You can also set up private endpoints on your existing Purview accounts. To learn about this and more read our full documentation here today!