-1

I want to be able to access Synapse Workspace Studio only through my Azure VM

To do so I want to have the following connection:

Log in to Azure VM /in subnet1, in VNet1 / => connecting through a Private Endpoint using the VM's Private IP => accessing Azure Synapse Studio (all created by me)

To achieve this I have done:

  1. Lock down the public access of the Azure Synapse Workspace
  2. Created a Managed Private Endpoint: SQL server on demand to Subnet2 /in VNet1/
  3. The Synapse Workspace is deployed in a "Managed VNet" (as to use Integration Runtimes in a Managed VNet later on)
  4. All Endpoints are approved
  5. Have changed the VM Private IP to a - Static Private IP /however it still has its Public IP as I am connecting to it through rdp/

However, I still can't open the Synapse Workspace as it says that (when you are accessing the Synapse studio website through the VM) that some features of the Synapse Studio are disabled as I do not have access to them

Possible cause: I think that I am missing the right DNS configuration i.e. telling my VM to use its Private IP (instead of the Public one) when it connects to the Synapse Studio. However, I have little-to-no knowledge for the DNS configurations when using Private Endpoints (I hoped that all is automatically done on the backend)

I have read the following article in MS docs: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

"It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string."

and

"Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints."

Unfortunately, I do not understand what they are saying, nor is there a demo showing me how to override the DNS configurations

SO I will need you help....!!!

M. Pheles
  • 13
  • 3
  • I’m assuming you have worked through this article? https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network and I would recommend checking the virtual network links on your private DNS zone to make sure it broadcasts DNS to your VM – GregGalloway Nov 07 '21 at 11:50

1 Answers1

0

Oks so I found the issue.

Synapse Workspace has 4 private endpoints - 3 of which you need for the private use of: Dev, SQL and SQL-on-demand usage and 1 (the one that I was missing) that you need for privately accessing the Synapse Studio Portal from within Azure VM.

However, the tricky part is that you need to deploy a new resource called: Azure Private Hub Link which is enabling the web loading of the Synapse portal through the Azure VM.

Note that for the Private HUB Link to work you need to create a new private endpoint inside the Private Link HUB to the VNet where you VM is. Though it MUST have a PRIVATE DNS ZONE configured during this endpoint creation.

Another option is to change the host file of the VM itself as to point to the Private-Hub-link so that once you use the FQDN (the web url of the Synapse Portal) as to direct the traffic instead of using the VM's Public IP to instead use the Private IP and go to this 4th Private Endpoint. (Though that's the theory => I am still to make it work if I want to NOT use the Private DNS zone option)

M. Pheles
  • 13
  • 3