One of the crucial aspects of any data integration project with Azure Data Factory is data security. With increasing focus on data security, preventing unauthorised access to the data stores is on every organization’s information security goals. In this post, lets look at some data access strategies that Data Stores on the Azure cloud provide, to enable secure access to data.
1. Azure Private Link: This feature enables users to build and manage private network between various services. In Azure Data Factory, we can create an Azure Integration Runtime with the Azure Data Factory Managed Virtual Network. This creates private endpoints for connecting exclusively to the specific data source. The whole data transfer traffic utilizes the Microsoft backbone with no exposure to the public network.
2. Trusted Service: Various data stores on Azure such as Blobs, ADLS Gen 2 etc. support Managed Identity authentication. A managed Identity is a unique identity key for a specific Azure Resource e.g., a specific Data Factory instance. Using trusted service ensures that only the Managed Identity authenticated Data Factory can access the data stores.
3. Unique Static IP: While Data Factory does support static IP, the limitation here is that we must configure a self-hosted Integration Runtime to host the Data Factory pipelines.
4. Static IP Range: Azure Data Factory now supports region-wise static IP range whitelist. What this means is, it is possible to add an ‘allowed’ IP address range based on the Azure Region where the Data Factory is being hosted. This IP range restriction is on top of any existing authentication rules configured in the Data Store.
5. Service Tag: This feature is also based on IP filtering but instead of the complete IP address, it relies on the IP address prefixes assigned to a specific Azure Service (such as Azure Data Factory). The service tags (IP address prefixes) are dynamic and are updated automatically when the IP address changes for the service.
6. Allow Azure Services: Some Azure services provide the option to allow access from all Azure Services and block all external (non-Azure) access requests.
For more details about which Azure Data Stores support which of the above listed access strategy options, please visit the Microsoft Docs Reference link below.