Configuring Private Link for Microsoft Fabric Beta

Available to certain Enterprise tiers

This feature is available on the following dbt Enterprise tiers:

• Enterprise+
• Virtual Private

To learn more about these tiers, contact us at sales@getdbt.com.

The following steps walk you through the setup of a Private Link endpoint for Microsoft Fabric in a dbt multi-tenant environment.

Private connection endpoints can't connect across cloud providers (AWS, Azure, and GCP). For a private connection to work, both dbt and the server (like Microsoft Fabric) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect to services hosted on Azure, and dbt hosted on Azure can’t connect to services hosted on GCP.

Workspace-level Private Link

Microsoft Fabric offers two private connectivity models. Only workspace-level Private Link supports cross-tenant connections and is compatible with dbt. Tenant-level Private Link is designed for intra-organization access and does not support connections from external services like dbt.

Prerequisites

Before configuring Private Link, make sure you have the following:

• You have Fabric Administrator access
• You have an Azure subscription with permission to register resource providers and deploy templates
• You have a Fabric workspace already created
• You have a service principal set up with the right Fabric permissions (Member or Contributor on the workspace, and Fabric APIs enabled in the Admin portal)

Configure Fabric Private Link

Complete the following steps in your Microsoft Fabric and Azure environments before submitting a request to dbt.

1. Enable the workspace-level Private Link tenant setting

A Fabric Administrator must enable workspace-level private link for your tenant before it can be configured on individual workspaces.

1. Open the Microsoft Fabric Admin portal.
2. Navigate to Tenant settings.
3. Search for Configure workspace-level inbound network rules and expand the setting.
4. Toggle the setting to Enabled.
5. Click Apply.

2. Configure your workspace network settings

1. Open your Fabric workspace in the Microsoft Fabric portal.
2. Navigate to Workspace settings → Inbound networking.
3. Select Allow connections from selected networks and workspace level private links.
4. Click Save.

Restricting inbound access may block your own access

When you select this option, only connections from approved IP addresses and workspace-level private links are allowed. If you or your team need to continue accessing this workspace from the Fabric portal, add your organization's public IP addresses before saving. Consult your network administrator if you're unsure which IP ranges to include.

If you get locked out, a Fabric Administrator can restore access by navigating to the Admin portal → Tenant settings → Advanced networking → Configure workspace-level inbound network rules and toggling the setting to Disabled. This reverts all workspaces to their previous network configuration.

3. Register the Microsoft.Fabric resource provider

The Microsoft.Fabric resource provider must be registered in your Azure subscription before you can create Fabric Private Link resources.

1. In the Azure portal, navigate to your Subscription → Settings → Resource providers.
2. Search for Microsoft.Fabric.
3. Select it and click Register (or Re-register if already registered). Wait for the status to change to Registered.

4. Create the Private Link Service resource

Fabric workspace-level Private Link uses a dedicated Azure resource (Microsoft.Fabric/privateLinkServicesForFabric) to expose your workspace as a private endpoint target. This resource is not available in the Azure portal marketplace, so you must deploy it using a custom template.

1. Locate the two IDs you'll need:

   • Workspace ID: found in the workspace URL — https://app.fabric.microsoft.com/groups/WORKSPACE_ID. Replace WORKSPACE_ID with your value.
   • Tenant ID: found in the Azure portal under Microsoft Entra ID → Overview → Tenant ID. This is the same Directory (tenant) ID used for service principal authentication.

2. In the Azure portal, search for Deploy a custom template and select it.

3. Click Build your own template in the editor.

4. Paste the following template into the editor. Replace WORKSPACE_NAME, WORKSPACE_ID, and TENANT_ID with your values, then click Save:

   {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "resources": [
       {
         "type": "Microsoft.Fabric/privateLinkServicesForFabric",
         "apiVersion": "2024-06-01",
         "name": "WORKSPACE_NAME-pls",
         "location": "global",
         "properties": {
           "tenantId": "TENANT_ID",
           "workspaceId": "WORKSPACE_ID"
         }
       }
     ]
   }

5. Select your Subscription and Resource group, then click Review + create → Create.

6. Once the deployment completes, navigate to your resource group and select Manage view → Show hidden types to reveal the Private Link Service resource. Click the resource to open it and copy the Resource ID from the overview page. You will need the Resource ID to submit your Private Link request.

   The Resource ID path format is: /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Fabric/privateLinkServicesForFabric/NAME

Submit a Private Link request to dbt

Add the required information to the following template and submit your Azure Private Link request to dbt Support:

 Support request email template

Subject: New Azure Multi-Tenant Private Link Request

- Type: Microsoft Fabric
- dbt platform account URL:
- Fabric workspace name:
- Fabric Private Link Service resource ID:
  /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Fabric/privateLinkServicesForFabric/NAME
- dbt Azure multi-tenant environment (EMEA):
- Azure region of your Fabric workspace (for example, centralus, westeurope):

Make sure you replace SUBSCRIPTION_ID, RESOURCE_GROUP, and NAME with your values.

Approve the Private Link connection

Once dbt Support confirms the private endpoint has been created on our side:

1. In the Azure portal, search for Private Link in the top search bar and select Private Link Center.
2. In the left sidebar, select Pending connections.
3. Verify the correct Subscription filter is selected (the subscription containing your Private Link Service resource).
4. Select the connection from dbt (the name will contain dbt).
5. Click Approve and confirm.
6. Confirm with dbt Support that the connection has been approved so they can validate it and make it available in dbt.

Use Private Link Center, not the PLS resource

Navigate to the Private Link Center service to approve the connection. The Fabric Private Link Service resource blade does not display pending connections. You must use Private Link Center → Pending connections to see and approve the connection from dbt.

Create connection in dbt

Once dbt Support confirms the endpoint is available, configure the connection in dbt:

1. Navigate to Settings → Create new project → select Microsoft Fabric.

2. You will see two radio buttons: Default Endpoint and PrivateLink Endpoint. Select PrivateLink Endpoint.

3. Select the private endpoint from the dropdown. This populates the Server field with the private SQL hostname provided by dbt Support.

4. Configure the remaining connection details:

   Field	Value
   Port	1433
   Database	Your Fabric warehouse name
   Authentication	Service Principal
   Tenant ID	Your Microsoft Entra Directory (tenant) ID
   Client ID	Your service principal's application (client) ID
   Client secret	Your service principal's client secret

   Loading table...

   Service principal requirements

   The service principal must be added as a Member or Contributor on the Fabric workspace. In the Fabric Admin portal, Service principals can use Fabric APIs must also be enabled under Tenant settings → Developer settings.

5. Test your connection and save it.

Was this page helpful?

Privacy policyCreate a GitHub issue

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.