HarithaMaddi-MSFT
commented
4 years ago @pnarsi - Thanks for sharing valuable feedback. I am moving it to content owner to look into it and share the thoughts.
@nabhishek - Can you please take a look?
Closed pnarsi closed 3 years ago
HarithaMaddi-MSFT
commented
4 years ago @pnarsi - Thanks for sharing valuable feedback. I am moving it to content owner to look into it and share the thoughts.
@nabhishek - Can you please take a look?
rothja
commented
4 years ago @nabhishek Could you please take a look at this documentation suggestion? Thank you!
jonburchel
commented
3 years ago Can we add a network diagram to this article?
lrtoyou1223
commented
3 years ago Current diagram in ADF managed VNET doc has already shown the communications between integration runtime and data stores. For the communication between integration runtime and ADF management service, it's implementation details and not customer facing.
pnarsi
commented
3 years ago @lrtoyou1223
The documentation seems to have been updated since I first posted this question. There is a now "Outbound communications through public endpoint from ADF Managed Virtual Network" section that says that "All ports are opened for outbound communications."
Based on this I assume this means that the managed vnet does not block connectivity to any public endpoints i.e. I could created a linked service for a remote public SFTP server and then create a pipeline to copy data from a storage account exposed via a managed private endpoint to this remote public SFTP server.
Is my interpretation of the documentation correct? If so it would be worth updating the diagram to show that connectivity to public data stores is possible.
Furthermore if my interpretation of the above statement is correct then dot point at of the top of the page saying "Managed Virtual Network along with Managed private endpoints protects against data exfiltration." doesn't sound correct as the managed VNET has all ports opened for outbound communication so a user could move data to an external public facing data store.
lrtoyou1223
commented
3 years ago @pnarsi yes, you are right. In current version of ADF managed vnet, you are allowed to access data stores without PE. But in future, we plan to provide some data exfiltration features like allow customers to block all public access, setup some rule to control outbound traffic. Feel free to contact me if you further questions about this. Thanks a lot.
lrtoyou1223
commented
3 years ago @pnarsi , could we close this issue?
pnarsi
commented
3 years ago @lrtoyou1223 thanks for the clarification. I can see that a note has been added to the docs so from a documentation perspective so we can close this. I'll follow up offline around this future data exfiltration capability.
This is a very interesting feature. In the context of our organization it would potentially save us a lot of effort around deploying and managing individual SHIR VM for all of our ADF environments.
I believe that this article does need some additional details around Network security specifically around what incoming and outgoing management traffic is required for the VNET for this solution to work. The documentation implies that there is no requirement for any incoming management traffic. There is a however mention of port 443 being opened however their is no mention of what the destination IP address ranges are. I assume that a minimum the VNET will require connectivity to the ADF movement service + ADF service. Including something like this diagram would be useful.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.