If you want to lift & shift/migrate your existing SQL Server Integration Services (SSIS) packages to the cloud, so they can run on SSIS integration runtime (IR) in Azure Data Factory (ADF), you’ll need to inject/join your SSIS IR to a virtual network (VNet) in the following scenarios:
- You want to access on-premises data stores/resources from SSIS packages running on Microsoft-managed SSIS IR without configuring and managing a self-hosted IR as proxy by yourself. To learn, see the pros and cons of using VNet or no VNet.
- You want to use Azure SQL Database server/managed instance that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint or managed instance that joins a VNet to store your packages in SSIS catalog database (SSISDB)/SQL Server database (MSDB).
- You want to use Azure Storage that’s configured with a private endpoint/IP firewall rule/virtual network service endpoint to store your SSIS packages or custom setup files.
- You want to access other Azure data stores/resources that are configured with a private endpoint/IP firewall rule/virtual network service endpoint.
- You want to access other cloud data stores/resources that are configured with an IP firewall rule.
There are two methods for you to inject your SSIS IR into a VNet: standard and express that are both in General Availability (GA) now.
With Express method, your SSIS IR provisions/starts faster, and inbound traffic is not needed anymore to meet Enterprise security compliance requirements.
Here’s a table highlighting the differences between standard and express virtual network injection methods:
| Comparison | Standard virtual network injection | Express virtual network injection |
|---|---|---|
| Azure-SSIS IR starting duration | Around 30 minutes. | Around 5 minutes. |
| Azure subscription & resource group settings | Microsoft.Batch must be registered as a resource provider in the virtual network subscription. Creation of a public IP address, load balancer, and network security group (NSG) must be allowed in the virtual network resource group. |
Microsoft.Batch must be registered as a resource provider in the virtual network subscription. |
| Virtual network subnet | Subnet mustn’t be dedicated to other Azure services. | Subnet mustn’t be dedicated to other Azure services. Subnet must be delegated to Microsoft.Batch/batchAccounts. |
| Virtual network permission | User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/*/join permission. | User creating Azure-SSIS IR must have Microsoft.Network/virtualNetworks/subnets/join/action permission. |
| Static public IP addresses | (Optional) Bring your own static public IP addresses (BYOIP) for Azure-SSIS IR. | (Optional) Configure virtual network network address translation (NAT) to set up a static public IP address for Azure-SSIS IR. |
| Custom DNS server | Recommended to forward unresolved DNS requests to Azure recursive resolvers. | Recommended to forward unresolved DNS requests to Azure recursive resolvers. Requires a standard custom setup for Azure-SSIS IR. |
| Inbound traffic | Port 29876, 29877 must be open for TCP traffic with BatchNodeManagement service tag as source. | Not required. |
| Outbound traffic | Port 443 must be open for TCP traffic with AzureCloud service tag as destination. | Port 443 must be open for TCP traffic with DataFactoryManagement service tag as destination. |
| Resource lock | Not allowed in the resource group. | Not allowed in the virtual network. |
| Azure-SSIS IRs per virtual network | Unlimited. | Only one. |
For more information on VNet injection, see overview of VNet injection.
For more information on express method, see express VNet injection method.
Microsoft
