Extending Outbound Access Protection to Fabric Warehouse and SQL Analytics Endpoint
With the release of Outbound Access Protection (OAP) for Fabric workspaces, customers gained a powerful safeguard: the ability to strictly control where outbound connections can be established. Meaning data loads and queries across the workspace are limited to trusted destinations, reducing risk and strengthening governance.
Now, Fabric Warehouse (Preview) and SQL Analytics Endpoint (GA) are fully compliant with OAP. This extension ensures that the same protections you already rely on at the workspace level are enforced consistently for your most critical analytical workloads.
Benefits you can expect
Consistency – The same outbound protections that already apply to Spark workloads now apply to Warehouse and SQL Endpoint.
Governance at scale – With OAP enforced at the workspace level, all workloads respect the same rules.
Stronger security posture – Data loads through COPY INTO, OPENROWSET, Bulk Insert and similar operations are locked to trusted sources, reducing accidental or unauthorized access.
Putting boundaries on outbound connections
Outbound Access Protection ensures that Fabric Warehouse and SQL Endpoint cannot make outbound connections to destinations that aren’t explicitly approved. Once enabled at the workspace level, every artifact in that workspace follows the same rule.
Think of it as a firewall for your data estate: if the connection is on your allowed list, it goes through; if it isn’t, Fabric blocks it.
Closing a common security gap
One of the most sensitive moments in any warehouse is the data load. Without protection, operations such as COPY INTO, Bulk Insert or OPENROWSET could be pointed to untrusted or even malicious sources. OAP prevents that by blocking unapproved endpoints before data ever moves.
This reduces the risk of data exfiltration, keeps governance consistent across the workspace, and simplifies operations by enforcing rules in real time instead of relying on after-the-fact monitoring.
Putting OAP to work is straightforward
- Switch it on at the workspace level.
- Let Fabric enforce the boundary automatically.
At this stage, Warehouse and SQL Endpoint outbound connections are limited to the current workspace. In upcoming releases, you will be able to configure an allow list that defines exceptions for trusted destinations outside the workspace.
So, for example, your COPY INTO commands, Bulk Insert or OPENROWSET commands will only be allowed within the workspace boundaries, meaning you need to rely on the recent improvement we released for COPY INTO to support OneLake as source.
How Warehouse and SQL Endpoint benefit from OAP
Fabric Warehouse: ingestion pipelines are locked to trusted sources, aligning with enterprise governance strategies.
SQL Endpoint: workloads that query data from external systems gain an additional layer of protection.
The result is confidence that users can only pull from approved locations, no matter how they try to connect.
A step forward in secure analytics
Outbound Access Protection adds another layer to Fabric’s security foundation, alongside encryption, auditing, and role-based access control. It’s built in, simple to use, and designed to give organizations peace of mind that their data estate is secure by default.
For more information, refer to the OneLake as a Source for COPY INTO and OPENROWSET (Preview) blog post. Or the documentation on, COPY INTO (Transact-SQL), Browse File Content Before Ingestion with the OPENROWSET function, and Workspace outbound access protection overview.
