Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at the 2025 Microsoft Fabric Community Conference. March 31 - April 2, Las Vegas, Nevada. Use code FABINSIDER for $400 discount. Register now

Reply
ERWeiss
New Member

Fabric SQL Analytics Endpoint to Power BI Desktop Security Concerns

‎03-08-2025 07:58 AM

I am currently struggling with a Fabric/Power BI implementation. Our security team has concerns over the public connection from the Fabric service to power bi desktop. The organization currently closes the sql port on the network. I have not encountered this limitation in the past and am trying to figure out how to appropriately work around these security measures.

 

I am aware of the private endpoints that are available through Azure; however, what I am hoping to understand better are two things, if we create private endpoints, will that enable access through SQL endpoint even with that port blocked?

 

The second item is to understand what security measures are currently in place between Fabric SQL Endpoint with public internet and desktop Power BI? I believe from a Power BI security whitepaper:

"Data in transit

Power BI requires all incoming HTTP traffic to be encrypted using TLS 1.2 or above. Any requests attempting to use the service with TLS 1.1 or lower will be rejected"

 

We do allow connection via Direct Lake and appear from a security standpoint to be ok with that method, as a non-security individual, I am unsure of the rationale between the two.

 

I have come across the list of items to be aware of when implementing private endpoints,  and the obvious standout is transitioning on prem gateways to vnet; however, If anyone has implemented the private endpoints, is there anything else to be particularly aware of? 

Labels:
Message 1 of 2
78 Views
1 REPLY 1
nilendraFabric
Community Champion
Community Champion

‎03-09-2025 05:35 AM

Hello @ERWeiss 

 

Microsoft Fabric’s private endpoints securely route SQL analytics traffic through Azure’s private network backbone, bypassing public internet exposure even with port 1433 blocked.

 

Private endpoints reroute Fabric SQL analytics traffic through Microsoft’s backbone network (not public internet), while still using TCP 1433.
• Port blocking on public networks won’t affect private-link connections since traffic never leaves Azure’s secure infrastructure.
• Requires enabling Block Public Internet Access in Fabric admin settings to enforce private routing

Enable Block Public Internet Access in Fabric admin settings to enforce private routing

 

Validate DNS resolution to private IPs using `nslookup`.
• Confirm NSGs allow outbound port 1433 within the VNet

By configuring private endpoints and internal NSGs correctly, you  can securely use Fabric SQL endpoints while complying with port-blocking policies.

 

 

Message 2 of 2
55 Views

Helpful resources

Announcements
View All