General Availability of Express Virtual Network injection for SSIS in Azure Data Factory
Published Dec 18 2022 09:27 PM 1,325 Views
Microsoft

If you want to lift & shift/migrate your existing SQL Server Integration Services (SSIS) packages to the cloud, so they can run on SSIS integration runtime (IR) in Azure Data Factory (ADF), you’ll need to inject/join your SSIS IR to a virtual network (VNet) in the following scenarios:

 

  • You want to access on-premises data stores/resources from SSIS packages running on Microsoft-managed SSIS IR without configuring and managing a self-hosted IR as proxy by yourself.  To learn, see the pros and cons of using VNet or no VNet.

 

  • You want to use Azure SQL Database server/managed instance that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint or managed instance that joins a VNet to store your packages in SSIS catalog database (SSISDB)/SQL Server database (MSDB).

 

  • You want to use Azure Storage that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint to store your SSIS packages or custom setup files.

 

  • You want to access other Azure data stores/resources that are configured with a private endpoint/IP firewall rule/virtual network service endpoint.

 

  • You want to access other cloud data stores/resources that are configured with an IP firewall rule.

 

There are two methods for you to inject your SSIS IR into a VNet: standard and express that are both in General Availability (GA) now.  

 

With Express method, your SSIS IR provisions/starts faster, and inbound traffic is not needed anymore to meet Enterprise security compliance requirements.

Here’s a table highlighting the differences between standard and express virtual network injection methods:

Comparison Standard virtual network injection Express virtual network injection
Azure-SSIS IR starting duration Around 30 minutes. Around 5 minutes.
Azure subscription & resource group settings Microsoft.Batch must be registered as a resource provider in the virtual network subscription.

Creation of a public IP address, load balancer, and network security group (NSG) must be allowed in the virtual network resource group.
Microsoft.Batch must be registered as a resource provider in the virtual network subscription.
Virtual network subnet Subnet mustn’t be dedicated to other Azure services. Subnet mustn’t be dedicated to other Azure services.

Subnet must be delegated to Microsoft.Batch/batchAccounts.
Virtual network permission User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/*/join permission. User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/subnets/join/action permission.
Static public IP addresses (Optional) Bring your own static public IP addresses (BYOIP) for Azure-SSIS IR. (Optional) Configure virtual network network address translation (NAT) to set up a static public IP address for Azure-SSIS IR.
Custom DNS server Recommended to forward unresolved DNS requests to Azure recursive resolvers. Recommended to forward unresolved DNS requests to Azure recursive resolvers.

Requires a standard custom setup for Azure-SSIS IR.
Inbound traffic Port 29876, 29877 must be open for TCP traffic with BatchNodeManagement service tag as source. Not required.
Outbound traffic Port 443 must be open for TCP traffic with AzureCloud service tag as destination. Port 443 must be open for TCP traffic with DataFactoryManagement service tag as destination.
Resource lock Not allowed in the resource group. Not allowed in the virtual network.
Azure-SSIS IRs per virtual network Unlimited. Only one.

 

For more information on VNet injection, see overview of VNet injection

 

For more information on express method, see express VNet injection method.

Co-Authors
Version history
Last update:
‎Dec 18 2022 10:30 PM
Updated by: