Introducing workspace-level IP Firewall rules in Microsoft Fabric (Preview)
In today’s hyper-connected digital landscape, safeguarding sensitive data is more critical than ever. Microsoft Fabric already offers a robust suite of network security capabilities for both inbound and outbound connectivity, including Private Links, Entra Conditional Access and Outbound Access Protection, all generally available.
As adoption of Microsoft Fabric continues to grow, customers increasingly operate in diverse scenarios where not all users, tools, or integrations can rely solely on private connectivity or identity-based controls. Organizations that expose Fabric workspaces over public endpoints often require a simple, network-based mechanism to restrict access to known and trusted IP ranges.
Workspace-level IP firewall rules address this need by allowing workspace admins to restrict inbound public network access at the individual workspace level through IP-based allowlists. Workspace Administrators can define access using single IP addresses, IP ranges, or CIDR blocks. This capability provides a lightweight, granular layer of inbound protection that complements existing Tenant-level and Workspace-level Private Links as well as Entra Conditional Access making it ideal for scenarios that require fine-grained inbound access control without modifying tenant-wide network settings.
What are workspace-level IP firewall rules?
Workspace-level IP firewall rules are designed to help restrict inbound connectivity to a Fabric workspace by enforcing IP-based access controls at the network layer. With Workspace-level IP firewall rules, workspace admins retain full control over inbound access controls, explicitly defining which public IP addresses are allowed to access their workspace.
These rules evaluate the caller’s public IP address at the network layer before the request reaches Fabric authentication or data services. Only connections originating from IPs included in the workspace’s allow list are permitted; all other inbound requests are blocked at ingress. This capability provides targeted, workspace-scoped inbound protection, enabling administrators to reduce exposure when accessing Fabric workspaces over public endpoints while maintaining flexibility and control.
Implementing Fabric workspace-level IP firewall rules
- Tenant admin must enable Configure workspace-level inbound network rules in the Fabric admin portal.
- As a Fabric workspace admin
- Navigate to Workspace Settings in the target workspace and select Allow connections from selected networks and workspace private links.
- Select Edit and add required IP rules (single IP, range or CIDR) to the landing page.
- Alternatively, you can choose to add the incoming IP address by selecting the drop down and selecting Add client IP address. This will automatically add the egress IP to allowlist.
For detailed set-up of Workspace IP firewall rules, its limitations and supported artifacts, please refer to Setup and use Workspace-level IP Firewall rules.
Key benefits
Enhanced inbound security
Restrict inbound access to Fabric workspaces by allowing connections only from explicitly approved public IP addresses. All other inbound requests originating from untrusted IPs are blocked at the network layer before reaching Fabric services.
Granular workspace-level control
Apply IP-based access controls at the individual workspace level rather than at the tenant scope. This enables differentiated security policies across business units, environments (dev/test/prod), data domains, or projects without impacting other workspaces.
Reduced exposure for Public Endpoints
Limit access to Fabric workspaces exposed over public endpoints by enforcing a small, trusted set of IP ranges for administrators, automation pipelines, partner tools, or applications operating outside private VNets.
Stronger Compliance and Governance posture
Meet regulatory and compliance requirements by enforcing explicit network-level access boundaries at the workspace level. When combined with Private Links and Entra Conditional Access, Workspace-level IP Firewall rules help organizations implement layered defenses aligned with enterprise security standards.
Looking ahead
Workspace-level IP firewall rules are an important step toward strengthening workspace-scoped network security in Microsoft Fabric. As we continue through Preview, we will refine this capability based on customer feedback and expand alignment with Fabric’s broader security and governance framework helping administrators apply consistent, layered protections across inbound access scenarios.
Your feedback is essential! Let us know how we can make Fabric even more secure and flexible for your workloads by adding your comment to this blog.
