Synapse with DL and network restrction using Resource instances

Question

Hello,

I am at a loss so would greatly appreciate any assistance. I have created a synapse workspace with managed network and a Datalake gen2 as a linked service. The problem is that I am unable to manage the linked DL from Synapse studio as I just get "AuthorizationFailure" when I try to access the container, as per image:

So this is message appears when I go from Synapse Studio->Data->Linked->Azure Data Lake Storage Gen2->Storage account->Container

My configuration:

• From the storage account's networking tab I have selected 'Selected network'.
• I have also created a PE which I have approved and from Synapse Studio it is connected (green).
• My own user and the Synapse Workspace's Managed Identity is both owner and Storage Blob Data Contributor in the DL.
• I have configured "Resource instances" on the storage account to use my synapse workspace as per image below:

]3

• Finally, I have set the ACL on the container level to Read/Write/Execute for my own user and SP:
• 

As soon as I switch back to "All networks" the DL is accessible to manage from the Synapse Studio. Am I missing some configuration?

Looking forward to your kind suggestions,
BR
Theodor

Answer 1

Probably a bit late for you, but maybe this will help someone else with the same issue.

From my understanding, the file browser of the linked service operates from your client (i.e., your laptop). So, for this to work, you need to add your own IP address to the storage account's network rules (or use private endpoints or a similar solution). Additionally, you must grant your user account the necessary permissions on the storage account (e.g., Storage Blob Data Contributor in the RBAC roles).

Pipelines and serverless SQL queries should execute successfully even without granting permissions or configuring network rules for your user/client. However, developing these without access to the data lake files can be challenging.