Connect to Azure resources securely using managed private endpoints (Preview)

Managed Private Endpoint is a network security feature of the Fabric platform that allows Fabric items to securely access data sources behind a firewall or not accessible from the public internet. By integrating Eventstream with the Managed Private Endpoint, a managed virtual network (VNet) is automatically created for Eventstream, allowing you to securely connect to your Azure resources within a private network. This feature ensures that your data is securely transmitted over a private network.

The following diagram shows a sample architecture for connecting Eventstream to Azure event hub within a virtual network:

A screenshot of the Eventstream private network architecture.

Supported regions and data sources

  • Supported regions for Eventstream managed VNet: Only selected Fabric tenant regions are supported for Eventstream managed VNet. These regions include:
    • Australia Southeast
    • East US
    • Canada Central
    • East US 2
    • North Central US
    • North Europe
    • West Europe
    • West US
  • Supported data sources: In alignment with the Managed Private Endpoints in Fabric, Eventstream only supports private connections for the following Azure resources:
    • Azure Event Hubs
    • Azure IoT Hub

To learn more about the Managed Private Endpoints and supported data sources, visit Managed Private Endpoints for Fabric.

Connect to Azure Event Hubs using a managed private endpoint

Setting up a private connection in Eventstream is straightforward. Follow these steps to create a managed private endpoint for an Azure event hub and stream data to Eventstream over private network.

Prerequisites

  • Managed private endpoints are supported for Fabric trial and all Fabric F SKU capacities.
  • Only users with Workspace Admin permissions can create Managed Private Endpoints
  • An Azure event hub with public access disabled, and its Resource ID ready for creating a private endpoint.
  • A Fabric tenant region that supports managed VNet for Eventstream.

Step 1: Create an eventstream

  • Switch your Power BI experience to Real-time Intelligence.
  • Navigate to the Eventstream section and select Create. Name your Eventstream such as “eventstream-1."

A screenshot of the creating an eventstream.

Step 2: Create a private endpoint

  • In the Fabric workspace, go to the Workspace settings and navigate to the Network security section.
  • Select Create to add a new private endpoint.
  • For the Resource identifier, enter the resource ID of your Azure Event Hubs such as /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/my-resourcegroup/providers/Microsoft.EventHub/namespaces/my-eh-namespace/eventhubs/my-eventhub.
  • For Target Sub-resource, select Azure Event Hub.
  • Select Create to finalize the private endpoint creation.

A screenshot of the creating a private endpoint.

Step 3: Approve the private endpoint in Azure Event Hubs

  • Go to the Azure portal and open your Azure event hub.
  • In the Networking section, navigate to the Private endpoint connections tab.
  • Locate the private endpoint request from your Fabric workspace and approve it.
  • Once approved, the managed private endpoint status updates to Approved.

A screenshot of approving private endpoint in Azure portal.

Step 4: Add an Azure Event Hubs source to Eventstream

  • Go back to the eventstream you created in Fabric.
  • Select Azure Event Hubs and add it as a source to your Eventstream.
  • When creating a new connection to your Azure event hub, uncheck the Test connection option if your event hub isn't publicly accessible.
  • Manually enter the Consumer group.

A screenshot of adding Azure Event Hubs to Eventstream.

Once added, Eventstream starts pulling data from your Azure event hub over the private network.

A screenshot of successfully adding Azure Event Hubs to Eventstream.

By following these steps, you have a fully operational Eventstream running over a secure private network, using the managed private endpoint to ensure secure data streaming.

Limitations

  • The Data Preview feature may not be available for data sources that aren't publicly accessible when connected through a managed private endpoint. However, the data is securely transmitted and flows correctly to the Eventstream.