fabricpocmain.github.io
Azure Data Lake Gen2 Firewall Enabled Shortcut Integration
Shortcuts enable disparate systems to interface with a unified OneLake storage location within Fabric, thereby presenting a virtual data lake for organizational use. Azure Data Lake Gen2 can seamlessly integrate with these shortcuts. However, when the firewall of an Azure Data Lake Gen2 storage account is enabled, additional configurations are required to permit access to the secure storage. Detailed below are the setup steps necessary to accomplish this integration.
It is crucial to understand the security considerations for shortcut integration with Azure Data Lake Gen2 storage accounts. Currently, shortcuts to Azure Data Lake Gen2 storage accounts do not support private endpoints, virtual network gateways, or Fabric on-premises data gateway (OPDG). As a result, this document will focus on using trusted workspace access. Note that “Trusted workspace is limited to F SKU capacities.” Reference: Trusted workspace access
Trusted Workspace Access Configuration Steps:
First, we will need to create and deploy a custom template as the below.
The ARM template sample is located at the bottom page of the link below, fill out all the input values it will look like the below. You will use the ADLS Gen 2 destination and the Fabric workspace information.
Once saved and deployed, the ADLS Gen 2 under “Security + networking” will have the fabric workspace and instance information listed as the below.
Verify that the workspace identity is registered for the Fabric workspace.
Provide the Fabric workspace storage blob data contributor on the ADLS Gen 2 account as well.
Ensure that, for the Fabric workspace identity, the service principal option is selected when assigning the Storage Blob Data Contributor role, not managed identity.
Finally, configure the shortcut to utilize the workspace identity, as the storage account is secured by a firewall. Ensure the Fabric workspace identity is applied in this context.
It is important to note that authentication methods, such as service principals, have inherent limitations and should not be utilized when creating shortcuts. This is explicitly stated in the official documentation: “Trusted workspace access is not supported if a service principal is used to create shortcut.” Attempting to use an API call for this purpose via service principal will result in the following exception: “InsufficientPrivileges”,”moreDetails”:[{“errorCode”:”Forbidden”,”message”:”Unable to access resource ‘https://vicgoldstorage.blob.core.windows.net/’ using connection ‘https://vicgoldstorage.dfs.core.windows.net/ admin’. The supplied connection has insufficient permissions to access the resource. Please check the documentation for the required permissions.”}],”message”:”The caller does not have sufficient permissions to access the requested resource”}”
For the full list of restrictions and considerations please visit the following link: Trusted workspace access restrictions-and-considerations
Reference: Trusted workspace access
DISCLAIMER: Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment unless thorough testing has been conducted by the app and database teams. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that. You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys fees, that arise or result from the use or distribution or use of the Sample Code.