Azure Synapse - Private Link Hub - Implementation Guidance

Microsoft Teams

Leigh Shayler

7 minutes ago

Azure Synapse - Private Link Hub - Implementation Guidance

Hi All,

We recently did a bit of a deep dive on Azure Synapse Private Link Hub for private connectivity to Azure Synapse. Particularly with regard to customers with multiple workspaces. The key take aways are:

• Azure Synapse Private Link Hub is not at all tied to a Workspace
• When you create a private link from the hub, it gives you a private IP address and private DNS record for
  web.azuresynapse.net portal.
• Because you can only have a single DNS record for web.azuresynapse.net you can't create two hubs in a connected environment and have them be resolvable to all virtual networks.
• In a customer like HSS. If you put the Synapse Private Link Hub in a customer's spoke virtual network. Firewall restrictions will prevent other customers from accessing the Synapse Portal because they can't access things in other customers networks.

Therefore, you should

• Only deploy one private link hub in a shared / hub virtual network.
• This virtual network should be accessible (firewall rules) to all users / customers that require access to Synapse.
• You only need to create a single private link connection within the hub and link it to the shared / hub virtual network
• You should use DNS zones managed within the hub virtual network so that all users can resolve the name of
  web.azuresynapse.net

There are plenty of docs on it, none of which are overly clear:

• azure-docs/articles/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network.md
  at main · MicrosoftDocs/azure-docs (github.com)
• Azure
  Synapse Private Link hub. What is a Synapse Private Link Hub? | by Vijay K J | Medium
• Synapse
  Connectivity Series Part #2 – Inbound Synapse Private Endpoints – Azure Aggregator (wordpress.com)

Ryan Royals,

Lee Borlace

Ryan Royals

3 minutes ago

Awesome, thanks!

So Private Link Hub in its actual implementation is actually just a Managed VNET that you can connect multiple Synapse workspaces to?

Ryan Royals

2 minutes ago

'Managed' holds a lot of weight in that name.

a Managed Virtual Network is not a Virtual Network

same as a Managed Private Endpoint is not a Private Endpoint

Ryan Royals

just now

Also, to be that guy.

Should this go into the Ark knowledge base? Arkahna - Knowledge Base - Confluence (atlassian.net)

Go
to Teams >

 

Microsoft Teams Leigh Shayler    7 minutes ago Azure Synapse - Private Link Hub - Implementation Guidance Hi All,   We recently did a bit of a deep dive on Azure Synapse Private Link Hub for private connectivity to Azure Synapse. Particularly with regard to customers with multiple workspaces. The key take aways are:   Azure Synapse Private Link Hub is not at all tied to a Workspace When you create a private link from the hub, it gives you a private IP address and private DNS record for web.azuresynapse.net portal. Because you can only have a single DNS record for web.azuresynapse.net you can't create two hubs in a connected environment and have them be resolvable to all virtual networks. In a customer like HSS. If you put the Synapse Private Link Hub in a customer's spoke virtual network. Firewall restrictions will prevent other customers from accessing the Synapse Portal because they can't access things in other customers networks. Therefore, you should Only deploy one private link hub in a shared / hub virtual network. This virtual network should be accessible (firewall rules) to all users / customers that require access to Synapse. You only need to create a single private link connection within the hub and link it to the shared / hub virtual network You should use DNS zones managed within the hub virtual network so that all users can resolve the name of web.azuresynapse.net   There are plenty of docs on it, none of which are overly clear: azure-docs/articles/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network.md at main · MicrosoftDocs/azure-docs (github.com) Azure Synapse Private Link hub. What is a Synapse Private Link Hub? | by Vijay K J | Medium Synapse Connectivity Series Part #2 – Inbound Synapse Private Endpoints – Azure Aggregator (wordpress.com) Ryan Royals, Lee Borlace Ryan Royals    3 minutes ago Awesome, thanks!   So Private Link Hub in its actual implementation is actually just a Managed VNET that you can connect multiple Synapse workspaces to? Ryan Royals    2 minutes ago 'Managed' holds a lot of weight in that name. a Managed Virtual Network is not a Virtual Network same as a Managed Private Endpoint is not a Private Endpoint Ryan Royals    just now Also, to be that guy. Should this go into the Ark knowledge base? Arkahna - Knowledge Base - Confluence (atlassian.net) Go to Teams >