Azure Data Factory Private endpoint for Portal Endpoint

Sumit Gaur 475 Reputation points
2026-06-05T12:04:07.2533333+00:00

Hi Team,

We are looking for recommendations and best practices around configuring the portal private endpoint for Azure Data Factory in a multi-VNET environment.

Current setup:

  • We have multiple ADF instances owned by separate teams.
  • Each ADF has its own datafactory private endpoint configured within its respective spoke VNET.
  • Since the ADF instances are isolated across different VNETs, the private endpoints are also created in different address spaces.

Our concern is around the portal private endpoint, as it appears to use a global endpoint (portal.adf.azure.com), unlike the factory-specific datafactory endpoint.

Questions:

  1. What is the Microsoft-recommended approach for configuring the portal private endpoint when multiple ADFs exist across separate VNETs?
  2. Is it recommended to:
    • create a single centralized portal private endpoint (for example in the hub VNET), and share DNS resolution across spokes, or
    • create portal private endpoints within each spoke independently, i believe this may cause the DNS override.
  3. Are there any recommended DNS or network topology considerations for this scenario in a hub-and-spoke architecture?

Would appreciate guidance on the recommended enterprise-scale design for this setup.

Also can we not have portal endpoint and still have the traffic flown via the SHIR or Managed Virtual network for full private access. would not creating the portal endpoint breaks the UI access?

Azure Data Factory
Azure Data Factory

An Azure service for ingesting, preparing, and transforming data at scale.


3 answers

Sort by: Most helpful
  1. Smaran Thoomu 35,375 Reputation points Microsoft External Staff Moderator
    2026-06-11T05:05:54.5533333+00:00

    Hi @Sumit Gaur

    Thank you for the detailed explanation of your architecture.

    Your understanding is generally correct. Since the Azure Data Factory portal private endpoint uses the shared endpoint (portal.adf.azure.com), deploying multiple portal private endpoints across different VNets can introduce DNS complexity, especially when a shared Private DNS Zone is used.

    For hub-and-spoke environments, the recommended approach is typically:

    • Deploy a centralized portal private endpoint in the hub VNet.

    Use centralized DNS resolution (Private DNS Zone and DNS forwarding) that can be consumed by spoke VNets.

    Continue using factory-specific datafactory private endpoints within individual spokes as required.

    This approach helps reduce DNS management overhead and avoids potential name resolution conflicts.

    Regarding your question about not creating a portal private endpoint:

    The portal private endpoint is only required if you want Azure Data Factory Studio authoring and monitoring traffic to stay on private connectivity.

    SHIR communication continues to use the datafactory private endpoint.

    Managed Virtual Network and Managed Private Endpoints continue to secure data movement paths independently of the portal endpoint.

    If a portal private endpoint is not configured and public network access remains enabled, users can still access ADF Studio through the public endpoint.

    Therefore, not creating a portal private endpoint does not break UI access by itself. It only means that Studio authoring and monitoring traffic will use the public endpoint rather than Private Link.

    For enterprise-scale deployments, we generally recommend validating DNS resolution from all participating VNets and ensuring that the selected DNS architecture provides consistent resolution for portal.adf.azure.com across the environment.

    Please let us know if you need additional guidance around hub-and-spoke DNS design or Private DNS Zone configuration.

    Was this answer helpful?

    0 comments No comments

  2. Manoj Kumar Boyini 17,950 Reputation points Microsoft External Staff Moderator
    2026-06-05T13:32:15.1533333+00:00

    Hi @Sumit Gaur

    The portal and datafactory private endpoints serve different purposes. The portal endpoint is used for Azure Data Factory Studio authoring and monitoring, while the datafactory endpoint is used for communication between Self-hosted Integration Runtime (SHIR) and Azure Data Factory.

    One important consideration in a multi-VNET environment is that the portal endpoint uses a shared DNS namespace. Because of this, creating multiple portal private endpoints across different VNets can introduce DNS management complexity and potential record conflicts if the same DNS zone is used across the environment.

    For a hub-and-spoke architecture, a centralized portal private endpoint combined with centralized DNS resolution is generally easier to manage and helps avoid DNS inconsistencies across spokes. Each Data Factory can still maintain its own datafactory private endpoint within its respective spoke VNET.

    Regarding your question about omitting the portal private endpoint, this is possible if your requirement is limited to securing SHIR communication and data access paths. In that scenario, SHIR communication can continue through the datafactory private endpoint, and Managed Virtual Network / Managed Private Endpoints can be used to secure access to data stores.

    However, if you want Azure Data Factory Studio authoring and monitoring traffic to remain on private connectivity as well, then a portal private endpoint is required. Otherwise, Studio access will use the public endpoint. As long as public access remains available, not creating a portal private endpoint does not by itself prevent users from accessing the ADF UI.

    For validation, we recommend confirming that:

    • Private endpoint connections are approved.
    • DNS resolution returns the expected private IP addresses.
    • Connectivity works correctly from all spoke networks that require access.

    References:

    https://learn.microsoft.com/azure/data-factory/data-factory-private-link
    https://learn.microsoft.com/azure/data-factory/data-factory-private-link#dns-changes-for-private-endpoints
    https://learn.microsoft.com/azure/private-link/private-endpoint-dns

    Please let us know if you have any questions.

    Was this answer helpful?


  3. AI answer

    2026-06-05T12:04:47.6+00:00
    1. For multiple Azure Data Factory (ADF) instances across separate VNets, the recommended pattern is to treat the portal private endpoint similarly to other PaaS portal endpoints: deploy portal private endpoints per network isolation boundary where private-only portal access is required. In Microsoft Purview (which follows the same pattern of account vs portal private endpoints), guidance explicitly calls out that in isolated network segmentations, separate portal private endpoints per account/VNet might be needed:

      “You may need to deploy separate portal private endpoints for each Microsoft Purview account in the scenarios where Microsoft Purview accounts are deployed in isolated network segmentations.”

      By analogy, for ADF in a hub-and-spoke model:
      • If spokes are strongly isolated (different address spaces, separate DNS, or different security domains), create portal private endpoints in each spoke where users must access ADF Studio privately.
      • If spokes share a common hub DNS and routing and there is a single security boundary, a centralized portal private endpoint in the hub that is reachable from all spokes is also valid, provided DNS is designed so that all spokes resolve the portal hostname to that hub private endpoint.
      The choice depends on whether a shared portal endpoint in the hub is acceptable from a security and operations perspective.
    2. On whether to centralize or duplicate portal private endpoints:
      • Centralized portal PE in hub
        • Pros: fewer endpoints to manage; simpler DNS if all spokes use a shared DNS zone; consistent experience.
        • Cons: all spokes depend on hub connectivity and DNS; less granular isolation.
      • Portal PEs per spoke
        • Pros: clean isolation per spoke; each team controls its own portal access; aligns with the Purview guidance for isolated segments.
        • Cons: more endpoints; DNS must avoid conflicts if a shared zone is used.
      DNS conflict/override is primarily a concern when multiple private endpoints for the same FQDN are registered in the same DNS zone. The generic private endpoint guidance recommends a single private endpoint per private-link resource per network/DNS scope to avoid duplicate DNS entries:

      “For a single network using a common DNS server configuration, the recommended practice is to use a single private endpoint for a specified private-link resource. Use this practice to avoid duplicate entries or conflicts in DNS resolution.”

      Therefore:
      • If using a single shared DNS zone for the portal hostname across hub and spokes, prefer one portal private endpoint for that DNS scope.
      • If each spoke uses its own DNS zone or DNS scope, separate portal private endpoints per spoke are acceptable and avoid DNS override issues.
    3. DNS and network topology considerations in hub-and-spoke: Key points from private endpoint and managed private endpoint guidance:
      • A private endpoint:
        • Must be in the same region and subscription as the VNet.
        • Uses a private IP from the subnet and that IP remains stable for the life of the endpoint.
        • Should generally be unique per private-link resource per DNS scope to avoid DNS conflicts.
      • For managed private endpoints and managed VNets in ADF:
        • The resource provider Microsoft.Network must be registered.
        • Managed private endpoints are created in the ADF managed VNet and are approved by the target resource owner.
        • Custom DNS is not supported inside the managed VNet; DNS control is on the customer side for their own VNets.
      In a hub-and-spoke design:
      • Place private endpoints (datafactory and/or portal) in hub or spokes depending on where:
        • User traffic originates (for portal access), and
        • Integration runtimes or workloads reside (for datafactory endpoints and managed private endpoints).
      • Use the hub as the central DNS if a shared DNS model is desired, and ensure that:
        • The portal hostname resolves to the hub portal private endpoint IP for all spokes, or
        • Each spoke has its own DNS zone if using separate portal private endpoints.
    4. On not creating a portal private endpoint and impact on UI access:
      • For ADF, the datafactory private endpoint is used for command communications between self-hosted IR and Data Factory, and the portal private endpoint is used for authoring and monitoring the data factory from within a VNet:

        “If you want to use the private endpoint for command communications between the self-hosted IR and Data Factory, select datafactory as Target sub-resource. If you want to use the private endpoint for authoring and monitoring the data factory in your virtual network, select portal as Target sub-resource.”

      • If a portal private endpoint is not created:
        • ADF Studio (portal.adf.azure.com) is accessed over the public internet (subject to any public network access settings and corporate egress controls).
        • Self-hosted IR and managed VNets can still use datafactory private endpoints and managed private endpoints to keep data-plane traffic private.
      • Therefore, it is possible to have full private data-plane access (via self-hosted IR, managed VNets, and managed private endpoints) without a portal private endpoint. In that case, only the UI/management-plane access is not fully private and continues to use the public endpoint.
      If corporate policy requires no public network access to ADF management/portal, then a portal private endpoint is required to maintain UI access while keeping public access disabled. Otherwise, disabling public access without configuring portal private endpoints can block portal-based authoring and monitoring.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.