Trigger ADF pipeline using Storage event trigger over private network.

Project Technology: Azure function, ADF, Azure Synapse, ADLS

Issue description: Customer has a strict regulatory compliance requirement, due to which they need to block all outbound (public endpoint) connections. Hence, most of our products were not able to provide the expected result as we have a dependency on public endpoints.

Summary:

  1. The customer was not able to download PowerShell modules from PowerShell gallery in the Azure function due to outbound restrictions. However, we gave a suggestion to manually download and upload the files to Azure function via VS-Code. However, it did not work either.
  2. As a result, we used PowerShell command line from user desktop instead of using VS-Code.
  3. Now when we tried to access the ADF from Azure function, Boom! It failed.

Sachin215_0-1681845784359.png

  1. To validate the access token, we executed MSI validator and came with the below error.

Sachin215_1-1681845784371.png

  1. Reason for all these errors was, AZ PowerShell was trying to connect to management.azure.com in order to get the Oauth2 token. However, as per the bank's regulations, access to any public endpoints was not allowed which basically stalled the project.
  2. To get around this and access the behind the /private endpoints/Private links, we proposed a solution to use Managed identity and REST API which enabled the function to grab bearer token without public endpoint access and REAST API was able to use that bearer token to access Azure .

Code if customer is using system assigned managed identity.

$resourceURI = “https://functeststorageacc01.queue.core.windows.net/

$tokenResponse = Invoke-RestMethod -Method Get -Headers @{“X-IDENTITY-HEADER”=”$env:IDENTITY_HEADER”} -Uri $tokenAuthURI

$accessToken = $tokenResponse.access_token

Code if customer is using user assigned managed identity.

$resourceURI = “https://functeststorageacc01.queue.core.windows.net/

$tokenResponse = Invoke-RestMethod -Method Get -Headers @{“X-IDENTITY-HEADER”=”$env:IDENTITY_HEADER”} -Uri $tokenAuthURI

$accessToken = $tokenResponse.access_token

Code to use bearer token to access Azure .

$version = “2017-11-09”
$header = @{
    Authorization = “Bearer $accessToken”
    ‘x-ms-version' = $version
}

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$QueueMessage = “This is test message#1 “
$body = “$QueueMessage
$item = Invoke-RestMethod -Method POST -Uri https://storazaarfdevbtgt00003.queue.core.windows.net/test2/messages -Headers $header -Body $body -ContentType “application/json

  1. Even though we had the bearer token and we were using REST API but still we were not able to trigger the ADF pipeline because in order to perform any operations using REST API to ADF would require access to plane (management.azure.com) which is not allowed in the bank's environment.
  2. Here we proposed a solution to trigger the ADF pipeline through storage event trigger using managed private endpoints, so ADF was able to read the storage over the private endpoints without needing to go out to public endpoints.

Sachin215_2-1681845784373.png

Sachin215_3-1681845784376.png

Sachin215_4-1681845784377.png

Sachin215_5-1681845784379.png

Sachin215_6-1681845784388.png

Sachin215_7-1681845784399.png

9.After creating all the above steps we were able to trigger the ADF using Storage Event.

 

This article was originally published by Microsoft's Azure Data Factory Blog. You can find the original article here.