Workspace Outbound Access Protection for Data Factory and OneLake Shortcuts (Preview)
We announced Outbound Access Protection for Spark (Generally Available) and recently extended it to support SQL Endpoint and Warehouse. Now, Pipelines, Copy job, Dataflows, OneLake Shortcuts as well as Mirrored Databases (such as Mirrored SQL Database, Mirrored Snowflake) support Workspace level Outbound Access Protection (Preview).
Key Benefits
- Enhanced Outbound Security: By leveraging OAP rules, organizations can ensure that the Data Factory items from the protected workspace can only connect to a limited set of destinations which are allowed by workspace admins. All other outbound connections to public internet and other destinations are blocked from the workspace.
- Granular Control: Control outbound access per workspace instead of at the tenant level. This allows you to apply differentiated controls across business units, environments (dev/test/prod), data domains, or project.
- Data Exfiltration prevention: Workspace OAP when combined with Inbound protection can help the customer prevent the data from getting exfiltrated outside the workspace boundary.
- Better Compliance: Meet stringent compliance and regulatory requirements by ensuring your sensitive data never leaves the workspace boundary if it’s not allowed by Workspace Admins.
What to expect with Outbound access protection (OAP) for Data Factory
OAP ensures that the external connections made from the Fabric workspace are secured and allowed by the Workspace Admins, thereby reducing the risk of exfiltration.
OAP is now expanded to include the support for the following items:
- Dataflow Gen 2 (with CICD)
- Pipelines
- Copy job
- Mirrored Items
When OAP is set, workspace admins will be able to configure outbound rules on the workspace (allow/deny) connection types and granular endpoints.
Workspace admins will also get the ability to allow/deny specific VNET/On-Prem Data Gateways. After the gateways are allowed, users in the workspace can incorporate those gateway connections into their workflows.
This will give the right flexibility to ensure the workspace is protected from exfiltration and allow connections to the trusted destinations.
In the following workflow diagram, to allow connection to external data sources or to another workspace, the workspace admins will have to first enable OAP (1), then set up Data connection rules for the workspace. Based on the combination of allowed Data sources (for example SQL Server and VNET Data Gateway), items like Pipeline and Dataflows can establish connections to these sources. All other outbound connections will be blocked.
To learn more about Workspace OAP for Data Factory, set-up, scope and limitations, refer to the Workspace outbound access protection overview documentation.
OneLake shortcuts and outbound access protection
In addition to Data Factory improvements, the momentum continues with updates to OneLake. External shortcuts are now supported with outbound access protection! You can use the new data source connection rules to allow list specific outbound data sources. After allowlisting, you can read existing shortcuts and create new ones only to those allowlisted locations, ensuring your data stays secure without limiting your data estate. For example, you can create a data connection rule allowing outbound connections to your ADLS Gen2 account while blocking outbound requests to other external locations, including any other ADLS Gen2 accounts!
You can also use data connection rules to allow cross-workspace OneLake connections through the Lakehouse connector. By adding a connection rule for a different workspace in the Lakehouse connector, all copy operations and shortcuts from your OAP-enabled workspace to the allowed-listed workspace are allowed. This gives you an alternative way to allow cross- workspace connections without the use of managed private endpoints and a private link service.
Interested in learning more about OneLake and outbound access protection? Check out managing outbound access from OneLake with outbound access protection for more information!
What’s next?
Tenant level Admin APIs for Workspace OAP settings are rolling out and will be available next week (Live Now).
We are actively working to expand OAP support for additional experiences and plan to add support for Power BI Semantic Models and Reports soon.
Your feedback is essential! Let us know how we can make Fabric even more secure and flexible for your workloads by sharing your feedback at Fabric Ideas – Microsoft Fabric Community.
