Azure VNet, Private Endpoints & Networking
Securing data engineering workloads with private networking, endpoints, and network isolation
Network Architecture for Data Engineering
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA ENGINEERING NETWORK ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ON-PREMISES EXPRESS ROUTE β
β ββββββββββββ ββββββββββββ β
β β CorporateβββββββββββββΊβ Express β β
β β Network β β Route β β
β ββββββββββββ ββββββ¬ββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β HUB VNet (10.0.0.0/16) β β
β β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β Gateway β β Firewall β β Bastion β β β
β β β Subnet β β Subnet β β Subnet β β β
β β β 10.0.1.0/24 β β 10.0.2.0/24 β β 10.0.3.0/24 β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ β
β β β
β VNet Peering β (Transitive) β
β β β
β βββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ β
β β SPOKE VNet (10.1.0.0/16) β β
β β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β Compute β β Data β β Monitoring β β β
β β β Subnet β β Subnet β β Subnet β β β
β β β 10.1.1.0/24 β β 10.1.2.0/24 β β 10.1.3.0/24 β β β
β β β β β β β β β β
β β β Databricks β β Private End β β Log Analyticsβ β β
β β β ADF IR β β Points β β Monitor β β β
β β β Synapse β β β β β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β PRIVATE ENDPOINTS (Private Link): β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β ADLS PE β β Synapse β β Key Vault β β Cosmos β β
β β β β PE β β PE β β DB PE β β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Private Endpoints Configuration
Bicep Template
// Private DNS Zone for ADLS
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2024-01-01' = {
name: 'privatelink.dfs.core.windows.net'
location: 'global'
properties: {
maxNumberOfRecordSets: 25000
}
}
// VNet Link for Private DNS Zone
resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-01-01' = {
name: 'vnet-link-spoke'
parent: privateDnsZone
location: 'global'
properties: {
virtualNetwork: {
id: spokeVnet.id
}
registrationEnabled: false
}
}
// Private Endpoint for ADLS Gen2
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-01-01' = {
name: 'pe-adls-gen2'
location: location
properties: {
subnet: {
id: spokeVnet.properties.subnets[1].id // Data subnet
}
privateLinkServiceConnections: [
{
name: 'adls-connection'
properties: {
privateLinkServiceId: storageAccount.id
groupIds: ['dfs']
}
}
]
}
}
// DNS Zone Group
resource dnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-01-01' = {
name: 'default'
parent: privateEndpoint
properties: {
privateDnsZoneConfigs: [
{
name: 'dnsZoneConfig'
properties: {
privateDnsZoneId: privateDnsZone.id
}
}
]
}
}
Network Security Groups Rules
{
"securityRules": [
{
"name": "AllowDatabricksInbound",
"properties": {
"priority": 100,
"direction": "Inbound",
"access": "Allow",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "AzureDatabricks",
"destinationAddressPrefix": "*"
}
},
{
"name": "AllowSynapseManagement",
"properties": {
"priority": 200,
"direction": "Inbound",
"access": "Allow",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": ["1433", "1443"],
"sourceAddressPrefix": "SqlManagement",
"destinationAddressPrefix": "*"
}
},
{
"name": "DenyAllInbound",
"properties": {
"priority": 4096,
"direction": "Inbound",
"access": "Deny",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*"
}
}
]
}
β οΈ
Security Critical: Always implement a default Deny rule at the lowest priority (4096) in your NSGs. Never rely solely on Azure service tags for network securityβcombine with Private Endpoints.
Service Endpoints vs Private Endpoints
| Feature | Service Endpoints | Private Endpoints |
|---|---|---|
| Traffic Path | Over Azure Backbone | Through Private Link |
| IP Address | Public IP of service | Private IP in VNet |
| DNS Resolution | Public DNS | Private DNS Zone |
| Firewall Support | Service-level only | Full NSG support |
| Cost | Free | Per endpoint + data |
| Use Case | Simple scenarios | Enterprise security |
VNet Peering Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VNET PEERING TOPOLOGY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Region: East US β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Hub VNet (10.0.0.0/16) β β
β β ββββββββββββ ββββββββββββ ββββββββββββ β β
β β β Gateway β β Firewall β β Bastion β β β
β β ββββββββββββ ββββββββββββ ββββββββββββ β β
β ββββββββββ¬βββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ β
β β Spoke: DE VNet β β Spoke: ML VNet β β Spoke: QA VNet β β
β β (10.1.0.0/16) β β (10.2.0.0/16) β β (10.3.0.0/16) β β
β β β β β β β β
β β Databricks β β Azure ML β β Dev/Test β β
β β Synapse β β AML Compute β β Resources β β
β β ADF β β β β β β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ β
β β
β Region: West US 2 β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Hub VNet (10.4.0.0/16) - DR Region β β
β β ββββββββββββ ββββββββββββ β β
β β β Gateway β β Firewall β β β
β β ββββββββββββ ββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β GLOBAL VNET PEERING: East US Hub ββββββββββββΊ West US Hub β
β (No bandwidth charges within same region peering) β
β (Cross-region peering: $0.01/GB ingress + $0.01/GB egress) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Azure Data Factory with VNet
{
"name": "adf-prod-vnet",
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"location": "eastus2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"provisioningState": "Succeeded",
"publicNetworkAccess": "Disabled",
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Self-Hosted Integration Runtime in VNet
{
"name": "ir-selfhosted-prod",
"type": "Microsoft.DataFactory/factories/integrationRuntimes",
"apiVersion": "2018-06-01",
"properties": {
"type": "SelfHosted",
"typeProperties": {
"linkedInfo": {
"type": "LinkedIntegrationRuntimeKey",
"key": "<EncryptedKey>"
}
},
"hostCaching": "Enabled"
}
}
βΉοΈ
Pro Tip: Use Managed Virtual Network with ADF Managed Private Endpoints instead of Self-Hosted IR when possible. It simplifies network management and provides automatic scaling without VM maintenance.
DNS Configuration for Private Endpoints
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DNS RESOLUTION FLOW β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β CLIENT REQUEST β
β ββββββββββββ β
β β ADF IR βββββ stdatalake001.dfs.core.windows.net β
β ββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Azure DNS (168.63.129.16) β β
β β β β
β β Query: privatelink.dfs.core.windows.net β β
β β β β
β β Response: 10.1.2.5 (Private IP from PE) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Private Endpoint (10.1.2.5) β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Network Interface Card (Private IP) β β β
β β β Connection to Storage Account via Private Link β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β DNS ZONES REQUIRED: β
β β’ privatelink.dfs.core.windows.net (ADLS Gen2) β
β β’ privatelink.sql.azuresynapse.net (Synapse SQL) β
β β’ privatelink.azuresynapse.net (Synapse Management) β
β β’ privatelink.vaultcore.azure.net (Key Vault) β
β β’ privatelink.blob.core.windows.net (Blob Storage) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Network Security Best Practices
# Python script to audit NSG rules
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
credential = DefaultAzureCredential()
network_client = NetworkManagementClient(credential, subscription_id)
# List all NSGs and their rules
nsgs = network_client.network_security_groups.list_all()
for nsg in nsgs:
print(f"\nNSG: {nsg.name}")
print(f"Resource Group: {nsg.id.split('/')[4]}")
for rule in nsg.security_rules:
if rule.direction == 'Inbound' and rule.access == 'Allow':
print(f" β οΈ Allow Rule: {rule.name}")
print(f" Priority: {rule.priority}")
print(f" Source: {rule.source_address_prefix}")
print(f" Dest Port: {rule.destination_port_range}")
Interview Questions
Q1: Explain the Hub-Spoke network topology for data engineering. A: The Hub VNet contains shared services (firewall, VPN gateway, Bastion). Spoke VNets contain data engineering workloads (Databricks, Synapse, ADF). Hub-Spoke peering allows centralized management while maintaining network isolation between workloads.
Q2: When would you use Self-Hosted Integration Runtime vs Managed VNet in ADF? A: Self-Hosted IR is needed when connecting to on-premises data sources or when you need custom network routing. Managed VNet with Managed Private Endpoints is preferred for cloud-only scenarios as it eliminates VM management.
Q3: How do Private Endpoints affect data transfer costs? A: Private Endpoints route traffic through Azure Private Link, which avoids public internet traversal. However, data transfer within the same region via Private Endpoints still incurs standard Azure data transfer costs. Cross-region transfers via Private Link incur additional charges.