azure-docs
azure-docs copied to clipboard
MicrosoftDocs
ADF Doesnt Support disable public access for UI
As per article https://learn.microsoft.com/en-us/answers/questions/154590/how-to-disable-public-access-to-adf-portal.html and empirical tests, Azure Data Factory cannot be disabled public access to authoring UI. Even if we follow steps in this article, the UI is still accessible and we can see all resource (or data).
Can you share if you plan something link Private Endpoint to ADF UI?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 04cca896-a855-6c8a-44fa-0ba83b5f058a
- Version Independent ID: 3d841099-2213-9384-a0b9-568c04663630
- Content: Azure Private Link for Azure Data Factory - Azure Data Factory
- Content Source: articles/data-factory/data-factory-private-link.md
- Service: data-factory
- Sub-service: integration-runtime
- GitHub Login: @lrtoyou1223
- Microsoft Alias: lle
@michalmar Thanks for your feedback! We will investigate and update as appropriate.
@michalmar
Thank you for bringing this to our attention. I've assigned this issue to the author who will investigate and update as appropriate.
@lrtoyou1223
could you please review this and update as appropriate.
The documentation mentions - If you want to use the private endpoint for authoring and monitoring the data factory in your virtual network, select portal as Target sub-resource.
But it isn't restricting the access to portal/adf studio only through virtual networks. After creating that Target sub-resource authors can still access via public network.
Can we please explicitly add a line saying this Target sub-resource doesnt restrict access to the data factory studio over public network.
Only block public access to UI is not a feasible solution since people still can access ADF service through API. So the better solution is to disable all ARM level access. Please refer to https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/create-private-link-access-portal?source=docs
Thanks for providing feedback that helps improve our documentation. This issue has been resolved and we are closing the issue. #please-close
Only block public access to UI is not a feasible solution since people still can access ADF service through API. So the better solution is to disable all ARM level access. Please refer to https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/create-private-link-access-portal?source=docs
Do you mean RBAC with this comment? I'm not sure how private link is going to close access to data factory resource via management.azure.com and *.svc.datafactory.azure.com (and adf.azure.com).
This limitation was clearly mentioned by @subashsivaji
But it isn't restricting the access to portal/adf studio only through virtual networks. After creating that Target sub-resource authors can still access via public network.
The documetation itself or in the security baseline documentation mentions above-mentioned limitation: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/data-factory-security-baseline.
Security baseline mentions following for data factory:
Following use case is issue for some organizations:
- open authoring portal using public internet
- open dataset
- hit preview
- data will flow through public internet
I'm not sure if it is possible to configure data factory as security baseline or linked documentation describe. Mentioning about limitations on github issue or QnA site without documentation updates is IMHO kind of bad PR/DX.
@lrtoyou1223
We have enabled the private dns zone privatelink.adf.azure.com but now https://adf.azure.com has become unreachable. The temporary workaround we applied is to add a CNAME from the public dns record to the private dns zone:
portal CNAME 3600 datafactoryv2.trafficmanager.net
Can you shed some light on this? Could you add the recommended configuration to the docs?
