If you want to lift & shift/migrate your existing SQL Server Integration Services (SSIS) packages to the cloud, so they can run on SSIS integration runtime (IR) in Azure Data Factory (ADF), you’ll need to inject/join your SSIS IR to a virtual network (VNet) in the following scenarios:
- You want to access on-premises data stores/resources from SSIS packages running on Microsoft-managed SSIS IR without configuring and managing a self-hosted IR as proxy by yourself. To learn, see the pros and cons of using VNet or no VNet.
- You want to use Azure SQL Database server/managed instance that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint or managed instance that joins a VNet to store your packages in SSIS catalog database (SSISDB)/SQL Server database (MSDB).
- You want to use Azure Storage that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint to store your SSIS packages or custom setup files.
- You want to access other Azure data stores/resources that are configured with a private endpoint/IP firewall rule/virtual network service endpoint.
- You want to access other cloud data stores/resources that are configured with an IP firewall rule.
There are two methods for you to inject your SSIS IR into a VNet: standard and express that are both in General Availability (GA) now.
With Express method, your SSIS IR provisions/starts faster, and inbound traffic is not needed anymore to meet Enterprise security compliance requirements.
Here’s a table highlighting the differences between standard and express virtual network injection methods:
| Comparison |
Standard virtual network injection |
Express virtual network injection |
| Azure-SSIS IR starting duration |
Around 30 minutes. |
Around 5 minutes. |
| Azure subscription & resource group settings |
Microsoft.Batch must be registered as a resource provider in the virtual network subscription.
Creation of a public IP address, load balancer, and network security group (NSG) must be allowed in the virtual network resource group. |
Microsoft.Batch must be registered as a resource provider in the virtual network subscription. |
| Virtual network subnet |
Subnet mustn’t be dedicated to other Azure services. |
Subnet mustn’t be dedicated to other Azure services.
Subnet must be delegated to Microsoft.Batch/batchAccounts. |
| Virtual network permission |
User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/*/join permission. |
User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/subnets/join/action permission. |
| Static public IP addresses |
(Optional) Bring your own static public IP addresses (BYOIP) for Azure-SSIS IR. |
(Optional) Configure virtual network network address translation (NAT) to set up a static public IP address for Azure-SSIS IR. |
| Custom DNS server |
Recommended to forward unresolved DNS requests to Azure recursive resolvers. |
Recommended to forward unresolved DNS requests to Azure recursive resolvers.
Requires a standard custom setup for Azure-SSIS IR. |
| Inbound traffic |
Port 29876, 29877 must be open for TCP traffic with BatchNodeManagement service tag as source. |
Not required. |
| Outbound traffic |
Port 443 must be open for TCP traffic with AzureCloud service tag as destination. |
Port 443 must be open for TCP traffic with DataFactoryManagement service tag as destination. |
| Resource lock |
Not allowed in the resource group. |
Not allowed in the virtual network. |
| Azure-SSIS IRs per virtual network |
Unlimited. |
Only one. |
For more information on VNet injection, see overview of VNet injection.
For more information on express method, see express VNet injection method.
