Azure Purview Managed Vnet, Vnet Integration Runtime and Managed Private Endpoints

We are glad to announce support for Azure Purview managed Vnet, Vnet Integration Runtime and managed private endpoint connections today, in public preview! This set of capabilities provides you with a more secure and manageable data scanning solution within Purview. You can now provision the Azure Integration Runtime in a Managed Virtual Network and leverage Private Endpoints to securely connect to supported Azure data sources. Your metadata traffic as a result of scans, between the data source and the Azure Purview Managed Virtual Network during ingestion into the catalog, goes through Azure Private Link which provides secured connectivity and eliminates your metadata exposure to the internet. With the Purview Managed Virtual Network and Managed Private Endpoints, you can also offload the burden of managing the virtual network to Azure Purview, and protect against metadata exfiltration.

Azure Purview Managed Virtual Network terminology and steps

Managed Virtual Network

The Managed Virtual Network is associated with the Azure Purview instance and is managed by Azure Purview. You can choose to have the Azure Integration Runtime created within the Managed Virtual Network. The Managed Virtual Network gets created automatically when you create your first Managed Vnet Integration Runtime as described below.

Managed Virtual Network Integration Runtime

You need to first create an Azure Integration Runtime within the managed Virtual Network, which ensures that data scanning process is completely isolated and secure, while also being fully managed.

You can do so by navigating to the Integration runtimes section in the Purview DataMap, and going through the creation flow as shown below.

You must then fill in the details to complete your set up.

Creating and deploying the Managed VNet Integration Runtime for the first time triggers multiple workflows in the Purview Studio for creating managed private endpoints to Azure Purview and its Managed Storage Account. You must click on each workflow to approve the private endpoint for the corresponding Azure resource from the Azure portal. If you don't have the right permissions to approve these requests, then you will have to have the resource owner approve the connection request before proceeding forward.

Managed Private Endpoints

Managed Private Endpoints are private endpoints created in the Azure Purview Managed Virtual Network establishing a private link to Azure resources. Azure Purview manages these private endpoints on your behalf. The Private endpoint uses a private IP address in the managed virtual network to effectively bring the service into it. Private endpoints are mapped to a specific resource in Azure and not the entire service. You can limit connectivity to a specific resource approved by your organization using this mechanism.

After you create an Azure integration runtime inside your managed Vnet, you must next create a managed Private endpoint connection to your Azure data source. You can do so by navigating to the Purview management center, and then to the Managed private endpoint connections as shown below.

Private endpoint connections are currently support for the following data source types:

- Azure Blob Storage
- Azure Data Lake Storage Gen 2
- Azure SQL Database
- Azure Cosmos DB
- Azure Synapse Analytics
- Azure Files
- Azure Database for MySQL
- Azure Database for PostgreSQL

A private endpoint connection to a data source is created in "Pending" state. An approval workflow is initiated and the data source owner is responsible to approve or reject the connection in the Azure portal.

Setting up a scan using a managed Vnet Integration Runtime

Once you've set up the Managed Vnet IR and the managed private endpoint to the data source, you must set up a scan on the data source, which you have already registered to Purview. While setting up your scan, pick the managed Vnet IR as the connection option and ensure that interactive authoring is enabled. If not, you can do so inline with a click of a button. You must also ensure that the managed private endpoint connection to the data source is in 'Approved' state as shown below.

Get started today!

• Quickly and easily create an Azure Preview account to try the generally available features.
• Read full documentation about how to use Purview Managed Vnet, Vnet IR and Managed Private Endpoints.