An Azure service for ingesting, preparing, and transforming data at scale.
Hi @Sumit Gaur
Thank you for the detailed explanation of your architecture.
Your understanding is generally correct. Since the Azure Data Factory portal private endpoint uses the shared endpoint (portal.adf.azure.com), deploying multiple portal private endpoints across different VNets can introduce DNS complexity, especially when a shared Private DNS Zone is used.
For hub-and-spoke environments, the recommended approach is typically:
- Deploy a centralized portal private endpoint in the hub VNet.
Use centralized DNS resolution (Private DNS Zone and DNS forwarding) that can be consumed by spoke VNets.
Continue using factory-specific datafactory private endpoints within individual spokes as required.
This approach helps reduce DNS management overhead and avoids potential name resolution conflicts.
Regarding your question about not creating a portal private endpoint:
The portal private endpoint is only required if you want Azure Data Factory Studio authoring and monitoring traffic to stay on private connectivity.
SHIR communication continues to use the datafactory private endpoint.
Managed Virtual Network and Managed Private Endpoints continue to secure data movement paths independently of the portal endpoint.
If a portal private endpoint is not configured and public network access remains enabled, users can still access ADF Studio through the public endpoint.
Therefore, not creating a portal private endpoint does not break UI access by itself. It only means that Studio authoring and monitoring traffic will use the public endpoint rather than Private Link.
For enterprise-scale deployments, we generally recommend validating DNS resolution from all participating VNets and ensuring that the selected DNS architecture provides consistent resolution for portal.adf.azure.com across the environment.
Please let us know if you need additional guidance around hub-and-spoke DNS design or Private DNS Zone configuration.