top of page

Setting Up Private Connectivity to Your Microsoft Fabric Tenant

Writer's picture: Data Insight NestData Insight Nest

I'm sure we'd all love our own private road or tunnel to commute back and forth from work, right? But what about setting up a private connection to your Microsoft Fabric Tenant? Some of us have likely faced this requirement, often due to some compliance or regulatory requirements.

Maybe it's just me who gets scared by network security I’m just an engineer who’d rather be smashing keyboards than worrying about network security!

Fortunately, setting up such private connectivity is quite similar to building that dream private road, and this blog will hopefully demystify the scary realm of networking.


Now I know Microsoft has already created a 'How-To' guide (See Resources), describing all the steps involved in setting this up, but personally, the only way I can wrap my head around networking is to use an analogy. So in this blog, I am going to be doing exactly that - using an analogy to describe what options we have and how to achieve private connectivity. Let's get into it!


But first,


Understanding the Analogy

Imagine you have a house and you need to travel to work. You have two options to get to work every day:


  1. Use the public road: This represents accessing the Microsoft Fabric Tenant using the public internet.

  2. Build your own private road/tunnel: In effect, the private road/tunnel would be the private links/endpoints for your Microsoft Fabric tenant.


Breaking it down further:

  • House: Your private network, in the cloud.

  • Work: The Microsoft Fabric Tenant.

  • Public Road: Public internet access to the Microsoft Fabric Tenant.

  • Private Road/Tunnel: Private Links.

  • Door to the Private Road: Private Endpoints, which can only be accessed from within your home (private network).


Well, I am sure, based on the title of this blog, we want to unpack how option 2 would be implemented, and now that we have that groundwork and basic understanding - let's jump into the details!

A pixel art illustration depicting private networking for cloud infrastructure. The image features playful elements and subtle tech-related icons, with warm and engaging colors to draw viewers’ attention. The overall design is fun and inviting, highlighting the concept of secure and exclusive networking in a cloud environment.
 

Table of Contents:


Steps to Set Up Private Connectivity

Step 1: Build Your House (Set up Private Network/VNet)

Purpose: Deploying a Virtual Network (VNet) is crucial because it creates an isolated/private environment in the cloud. Now I can already hear the question - "But what about my on-premises network, how does this link to this private cloud network?" Well I have answered that here - take a look.

Action: Deploy a VNet and Subnet in Azure.

  1. Log in to https://portal.azure.com/

  2. In the marketplace, search for 'virtual network'

    1. Filter the results down to 'Azure services only'

  3. Select Create on 'Virtual Network'

    Screenshot of Azure Portal marketplace search for 'virtual network'
  4. Fill out the desired configuration and create the resource.


Note: If you're using a Virtual Machine (VM) as your door, you’ll need to deploy an additional Bastion Subnet.


Step 2: Build a Door to Your House (Deploy a Virtual Machine in the Private Network/VNet)

Purpose: Deploying a Virtual Machine (VM) within your VNet provides a secure access point, acting as a gateway for internal and external communication. This is like a doorway to your private road/tunnel.

Action: Deploy a VM into the VNet you created in the previous step and enable Bastion access.

  1. Log in to https://portal.azure.com/

  2. In the marketplace, search for 'virtual machine'

    1. Filter the results down to 'Azure services only'

  3. Select Create on 'Virtual machine'

    Screenshot of Azure Portal marketplace search for 'virtual machine'
  4. Fill out the desired configuration and create the resource.


Note: This step is optional if you have a Point-to-Site (P2S) or Site-to-Site (S2S) VPN acting as your access door to the network.


Step 3: Inform Work That You Want to Use a Private Road (Enable Private Link in Microsoft Fabric)

Action: In the Azure tenant, enable Private Link Access.

  1. Log in to https://app.fabric.microsoft.com/

  2. Navigate to the Admin Portal

    Screenshot of the Settings in Fabric Tenant
  3. In 'Tenant Settings', under 'Advanced Networking', Enable Private Link and hit 'Apply'

    Screenshot of the Admin Portal in Fabric Tenant

Notes:

  • This process can take up to 15 minutes to take effect.

  • This setting is applied to the entire Microsoft Fabric Tenant.


Step 4: Build Your Tunnel (Deploy Private Link and Private Endpoints for Microsoft Fabric)

Action: Deploy your private link service using a custom deployment/template. Below is a basic template:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.PowerBI/privateLinkServicesForPowerBI",
      "apiVersion": "2020-06-01",
      "name": "<resource-name>",
      "location": "global",
      "properties": {
        "tenantId": "<tenant-object-id>"
      }
    }
  ]
}
  1. Log in to https://portal.azure.com/

  2. In the marketplace, search for 'template'

    1. Filter the results down to 'Azure services only'

  3. Select Create on 'Template deployment'

    Screenshot of Azure Portal marketplace search for 'template'
  4. Select 'Build your own template in the editor'

  5. Replace the content of the template with the code snippet above.

    1. Taking special note to update 'name' and 'tenantId'

      Screenshot of the custom template code
  6. Select Save

  7. Fill out the desired configuration (Resource group and Region) and create the resource.

    1. If you see a failure, see the note section - this is likely the cause.

    2. If you notice that is in the 'Deployment is in progress' for an unusually long time, it could be that you are not a Microsoft Fabric Tenant Admin. Only a Microsoft Fabric Tenant Admin can perform this step.

  8. Once that is deployed, go back to the marketplace, search for 'private endpoint'

    1. Filter the results down to 'Azure services only'

    Screenshot of Azure Portal marketplace search for 'private endpoint'
  9. Fill out the desired configuration, making sure you select:

    1. Resource type: Microsoft.PowerBI/privateLinkServicesForPowerBI

    2. Resource: The private link service you created above

    3. Virtual Network: The virtual network you created in step 1

  10. Create the private endpoint resource


Note: You may need to register the Microsoft.PowerBI resource provider on the relevant subscription.

Screenshot showing how to enable Microsoft.PowerBI Resource Provider

Step 5: Test Your New Private Road

  1. Navigate to the VM you deployed in step 2

  2. Connect to the VM using Bastion

  3. Open the command prompt on the VM

  4. Run the command:

    nslookup app.fabric.microsoft.com

  5. You should see a private IP being used (10.0.0.Something). This means that connectivity to https://app.fabric.microsoft.com/ is running over your private link! Great Job!!

    1. You can hop off the network (i.e., on your local PC) and do the same and notice how this is not using the private ip.


Step 6: Restrict Access to the Private Road Only (Disable Public Internet Access)

Action: In the Microsoft Fabric tenant's admin portal, disable public access to the tenant.

  1. While still on the VM, open a browser.

  2. Log in to https://app.fabric.microsoft.com/

  3. Navigate to the Admin Portal

  4. In 'Tenant Settings', under 'Advanced Networking', Disable Public Internet Access and hit 'Apply'

    Screenshot of the Admin Portal in Fabric Tenant

Notes: This will take effect only if you are connected via the private link and can take up to 20 minutes.


Step 7: Access Your Work from Your Home Via the Private Road (Log into Microsoft Fabric from Private Network/VNet)

  1. After 30 minutes, and while still on the VM, open a browser.

  2. Log in to https://app.fabric.microsoft.com/

  3. You should have no issues.


Step 8: Confirm Public Road Is No Longer Accessible (Try Access Microsoft Fabric Tenant from Public Internet)

  1. After 30 minutes, off the private network (i.e., on your local PC)

  2. Log in to https://app.fabric.microsoft.com/

  3. You should see a message like:

    Screenshot showing you no longer have access to the Fabric Tenant over the internet

 

List of Resources

Here is a list of all the resources you will expect to see by the end of this guide:

List of all the resources you will expect to see by the end of this guide

Extending On-Premises Networks with ExpressRoute or VPN

Setting up a private network in the cloud can feel overwhelming, especially when extending it to your on-premises network. I totally get that knot in your stomach; I've been there too! To make sense of it all, let's use another simple analogy to break down these concepts and ease the process.


Analogy

Imagine you have a beautiful holiday home on an island (your cloud network) and a home on the mainland (your on-premises network). To travel easily between them, you need a secure bridge or tunnel (like ExpressRoute or a VPN). This connection lets you move freely and safely between both homes, ensuring they work seamlessly together.


While both of these will be private to you, behind the scenes they are very different.


ExpressRoute

ExpressRoute functions like a high-security, private tunnel under the sea. It provides a direct, dedicated path between your homes, bypassing everyday traffic. This tunnel ensures fast, reliable, and secure data flow, keeping your communications smooth and uninterrupted.


VPN

Think of a VPN as a private bridge that connects your island to the mainland. While it uses existing internet roads, it’s exclusively yours, shrouded in secure encryption. This bridge ensures your data travels safely, protected from public traffic, offering a private and secure pathway for your information.


I have linked some Azure documentation on both of these incase you are looking for a more technical explanation.


Conclusion

And there you have it! By following these steps, you can securely connect to your Microsoft Fabric Tenant using private links and endpoints, ensuring your data travels over a private network. This setup keeps your network interactions safe and sound, like a secret tunnel only you know about.


Now, let's make this more of a hangout rather than just a one-sided chat. Have you tried setting up private connectivity before? Got any fun analogies or stories about network security mishaps (or triumphs)? Drop your thoughts or questions in the comments below!


Remember, the world of network security doesn't have to be intimidating. Think of it as building cool, secret pathways to your destination. Happy securing, and I can't wait to hear from you all!


Let’s chat!


Resources

50 views1 comment

1 Comment


Uwe Fuchs
Uwe Fuchs
Oct 02, 2024

I’d love to hear your feedback on these blog posts where I break down technical speak using analogies. I find it makes things easier to understand, but I’d love to hear your thoughts!

Like
bottom of page