Use private endpoints for your Microsoft Purview account
Note
The Microsoft Purview Data Catalog is changing its name to Microsoft Purview Unified Catalog. All the features will stay the same. You'll see the name change when the new Microsoft Purview Data Governance experience is generally available in your region. Check the name in your region.
Important
This article covers private endpoints for the classic Microsoft Purview governance portal (https://web.purview.azure.com). If you're using the new Microsoft Purview portal (https://purview.microsoft.com/), follow the documentation for private endpoints in the Microsoft Purview portal.
Conceptual Overview
You can use Azure private endpoints for your Microsoft Purview accounts to allow users on a virtual network (VNet) to securely access the catalog over a Private Link. A private endpoint uses an IP address from the VNet address space for your Microsoft Purview account. Network traffic between the clients on the VNet and the Microsoft Purview account traverses over the VNet and a private link on the Microsoft backbone network.
If you're still using the classic portal experience, you can deploy Microsoft Purview account private endpoint, to allow only client calls to Microsoft Purview that originate from within the private network. To connect to the Microsoft Purview governance portal using a private network connectivity, you can deploy portal private endpoint.
For both the new and classic experience, you can deploy ingestion private endpoints if you need to scan Azure IaaS and PaaS data sources inside Azure virtual networks and on-premises data sources through a private connection. This method ensures network isolation for your metadata flowing from the data sources to Microsoft Purview Data Map.
Prerequisites
Before deploying private endpoints for Microsoft Purview account, ensure you meet the following prerequisites:
- An Azure account with an active subscription. Create an account for free.
- An existing Azure Virtual network. Deploy a new Azure virtual network if you don't have one.
Microsoft Purview private endpoint deployment scenarios
Use the following recommended checklist to perform deployment of Microsoft Purview account with private endpoints:
Scenario | Objectives |
---|---|
Scenario 1 - Connect to your Microsoft Purview and scan data sources privately and securely | You need to restrict access to your Microsoft Purview account only via a private endpoint, including access to the Microsoft Purview governance portal, Atlas APIs and scan data sources in on-premises and Azure (but inside a virtual network) using self-hosted integration runtime ensuring end to end network isolation. (Deploy account, _portal, and ingestion private endpoints.) |
Scenario 2 - Connect privately and securely to your Microsoft Purview account | You need to enable access to your Microsoft Purview account, including access to the Microsoft Purview governance portal and Atlas API through private endpoints. (Deploy account and portal private endpoints). |
Scenario 3 - Scan data source securely using Managed Virtual Network | You need to scan Azure data sources securely, without having to manage a virtual network or a self-hosted integration runtime VM. (Deploy managed private endpoints for Microsoft Purview Azure data sources). |
Scenario 4 - Using the new Microsoft Purview portal | If you're using the new portal experience, you can set up ingestion and platform private endpoints. |
Frequently Asked Questions
For FAQs related to private endpoint deployments in Microsoft Purview, see FAQ about Microsoft Purview private endpoints.
Troubleshooting guide
For troubleshooting private endpoint configuration for Microsoft Purview accounts, see Troubleshooting private endpoint configuration for Microsoft Purview accounts.
Known limitations
To view list of current limitations related to Microsoft Purview private endpoints, see Microsoft Purview private endpoints known limitations.