Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The reference architecture is secure by design. It uses a multilayered security approach to mitigate common data exfiltration risks raised by customers. You can use certain features on a network, identity, data, and service layer to define specific access controls and expose only required data to your users. Even if some of these security mechanisms fail, the features help keep data within the enterprise-scale platform secure.
Network features such as private endpoints and disabled public network access can greatly reduce the attack surface of a data platform within an organization. Even with these features enabled, you need to take extra precautions to successfully connect to services such as Azure storage accounts, Azure Synapse workspaces, or Azure Machine Learning from the public internet.
This document describes the most common options for connecting to services inside a data management landing zone or data landing zone in a simple and secure way.
The simplest solution is to host a jumpbox on the virtual network of the data management landing zone or data landing zone to connect to the data services through private endpoints. A jumpbox is an Azure virtual machine (VM) running Linux or Windows to which users can connect via the Remote Desktop Protocol (RDP) or Secure Shell (SSH).
Previously, jumpbox VMs had to be hosted with public IPs to enable RDP and SSH sessions from the public internet. Network security groups (NSGs) could be used to further lock down traffic to allow connections from only a limited set of public IPs. However, this approach meant that a public IP had to be exposed from the Azure environment, which increased the attack surface of an organization. Alternatively, customers could use DNAT rules in their Azure Firewall to expose the SSH or RDP port of a VM to the public internet, which leads to similar security risks.
Today, instead of exposing a VM publicly, you can rely on Azure Bastion as a more secure alternative. Azure Bastion provides a secure remote connection from the Azure portal to Azure VMs over Transport Layer Security (TLS). Azure Bastion should be set up on a dedicated subnet (subnet with the name AzureBastionSubnet
) in the Azure data landing zone or Azure data management landing zone. You can then use it to connect to any VM on that virtual network or a peered virtual network directly from the Azure portal. No extra clients or agents need to be installed on any VM. You can again use NSGs to allow RDP and SSH from Azure Bastion only.
Azure Bastion provides a few other core security benefits, including:
For more information, see What is Azure Bastion?.
To simplify the process for users, there's a Bicep/ARM Template that can help you quickly create this setup inside your data management landing zone or data landing zone. Use the template to create the following setup inside your subscription:
To deploy the Bastion host yourself, select the Deploy to Azure button:
When you deploy Azure Bastion and a jumpbox through the Deploy to Azure button, you can provide the same prefix and environment that you use in your data landing zone or data management landing zone. This deployment has no conflicts, and it acts as an add-on to your data landing zone or data management landing zone. You can manually add other VMs to allow more users to work inside the environment.
After the deployment, you'll notice that two extra subnets are created on the data landing zone virtual network.
In addition, you'll find a new resource group inside your subscription, which includes the Azure Bastion resource and a virtual machine:
To connect to the VM by using Azure Bastion, follow these steps:
Select the VM (for example, dlz01-dev-bastion), select Connect, and then select Bastion.
Select the blue Use Bastion button.
Enter your credentials, and then select Connect.
The RDP session opens on a new browser tab, from which you can start connecting to your data services.
Sign in to the Azure portal.
Go to the {prefix}-{environment}-product-synapse001
Azure Synapse workspace inside the {prefix}-{environment}-shared-product
resource group for data exploration.
In the Azure Synapse workspace, load a sample dataset from the gallery (for example, the NYC Taxi dataset), and then select New SQL Script to query TOP 100
rows.
If all the virtual networks are peered with each other, only a single jumpbox in one data landing zone is required to access services across all data landing zones and data management landing zones.
To learn why we recommend this network setup, see Network architecture considerations. We recommend a maximum of one Azure Bastion service per data landing zone. If more users require access to the environment, you can add extra Azure VMs to the data landing zone.
Alternatively, you can connect users to the virtual network by using point-to-site connections. An Azure-native solution to this approach is to set up a VPN gateway to allow VPN connections between users and the VPN gateway over an encrypted tunnel. After you establish the connection, users can start connecting privately to services that are hosted on the virtual network inside the Azure tenant.
We recommend that you set up the VPN gateway in the hub virtual network of the hub-and-spoke architecture. For detailed, step-by-step guidance on setting up a VPN gateway, see Tutorial: Create a gateway portal.
If users are already connected to the on-premises network environment and connectivity should be extended to Azure, you can use site-to-site connections to connect the on-premises and Azure connectivity hub. Like a VPN tunnel connection, the site-to-site connection lets you extend the connectivity to the Azure environment. Doing so allows users who are connected to the corporate network to connect privately to services that are hosted on the virtual network inside the Azure tenant.
The recommended, Azure-native approach to such connectivity is the use of ExpressRoute. We recommend that you set up an ExpressRoute gateway in the hub virtual network of the hub-and-spoke architecture. For detailed, step-by-step guidance on setting up ExpressRoute connectivity, see Tutorial: Create and modify peering for an ExpressRoute circuit by using the Azure portal.
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register now