本文描述了如何启用Azure V-net Integration Runtime(IR)来管理Microsoft Graph Data Connect(数据连接)中的私有终结点。我们建议客户使用Azure Synapse工作区在映射数据流时启用Azure V-net IR。Azure数据工厂(Data Factory)与Azure V-net IR兼容。

使用Azure V-Net IR,客户不再需要将公共IP地址添加到允许列表中,客户可以将其目标存储帐户关闭到公共网络,以通过专用虚拟网络设置数据提取。这有助于确保从data Connect到客户存储帐户的数据提取更加安全。

注:

仅在Azure Synapse或Azure数据工厂(ADF)工作区内的映射数据流(MDF)中支持托管专用终结点。具有复制活动的现有Azure Synapse或ADF工作区要求您允许列表IP地址,以便通过选定的受保护网络进行访问。

Enable Azure V-net IR for Azure Synapse

使用以下步骤启用Azure V-net Integration Runtime(IR)以管理Data Connect中MDF内的专用终结点:

  • 创建Synapse(或ADF)工作区,然后登录Azure门户以配置现有存储帐户。下面的示例演示了Synapse中的此功能。

  1. Screenshot with the Basics tab highlighted, showing the first step to create a Synapse workspace.

  2. On the Networking tab, next to Managed virtual network, select Enable.

    Screenshot with the Networking tab highlighted and Managed virtual network option enabled, showing the second step to create a Synapse workspace.

  3. Open the Synapse workspace. Go to Manage > Managed private endpoints.

  • If you added a storage option when creating your Synapse workspace, the managed private endpoint connection to storage is already created in a Pending approval state.

    Screenshot showing a successfully created, managed private endpoint, with approval state pending.

  • If you're using existing storage, create a managed private endpoint. Select New, choose the storage type, then choose Continue.

    Screenshot showing the option to create a managed private endpoint with an existing storage option.

  • Provide the connection name and description, specify the storage account, then choose Create.

    Screenshot showing how to create and name a new managed private endpoint.

  • Note the initial state will be provisioning of a private IP address from within the Managed Virtual Network.

    Screenshot showing the provisioning state of a new managed private endpoint that is pending.

  • After the endpoint is successfully provisioned, the approval state is Pending. Continue to Step 4, and use the created name rather than the name generated in step 3.

    Screenshot showing the provisioning state of a new managed private endpoint.

  1. Approve the managed private endpoint from the storage account.

  • Go to Storage account > Networking > Private endpoint connections to view the private endpoint request in a pending state.

    Screenshot showing a new private endpoint request in a pending state.

  • Select the connection, then choose Approve.

    Screenshot showing a new private endpoint with Approval button highlighted, ready to be approved.

  • Provide a description when prompted, and verify that the connection state has changed to Approved.

    Screenshot showing a private endpoint with Approved state highlighted.

  1. In the storage account Networking blade, go to Firewalls and virtual networks. Under Public network access, select Enabled from selected virtual networks and IP addresses, and configure the network firewall according to your preference. Uncheck Allow Azure services on the trusted services list to access this storage account.

    Screenshot showing the Firewalls and virtual networks tab highlighted, and configuration settings for public network access, firewall, and network rule exceptions.

  2. Return to the previous Synapse workspace, and wait for the managed private endpoint to switch to Approved.

    Screenshot with the approved state of a managed private endpoint in a Synapse workspace, highlighted.

The managed private endpoint shows as successfully created and linked to the desired storage account from Synapse Analytics.

  1. Verify the available integration runtime is configured to Managed Virtual Network (configured by default).

    Screenshot with the Managed Virtual Network highlighted, successfully configured to available integration runtime.

After these steps, v-net IR in MDF should be enabled within your Synapse (or ADF) workspace. Please reach out to the Data Connect team for any questions!