Azure Private Link
You must have a Business Critical plan to use Azure Private Link.
Azure Private Link allows Virtual Networks (VNets) and Azure-hosted services to communicate with one another without exposing traffic to the public internet.
Fivetran uses Private Link to move your data securely between our system and your Azure-hosted or Azure Virtual Machine-hosted destination.
By default, Fivetran enables TLS on your Private Link connection for an extra layer of security. We recommend that you keep TLS enabled unless you know it is safe to disable it. To disable TLS, set the Require TLS when using Private Link toggle to OFF.
If you set the Require TLS when using Private Link toggle to OFF, Fivetran first attempts to connect over TLS. If this fails, Fivetran automatically retries the connection in clear text. You are responsible for configuring this option according to your corporate security policies.
Architecture
Depending on your destination type, Private Link works in the following ways:
- If your destination is hosted on Azure, Fivetran sets up the Private Link connection to customer's private-link resource based on the fully-qualified resource ID. For more information. see Azure's documentation.
- If your destination is hosted on an Azure Virtual Machine, you can use Azure Private Link Service to connect Fivetran to your destination. To use Azure Private Link Service, you must create an Azure Private Link Service with port forwarding VMs. The VMs then relay the network traffic towards your destination.
The following graphic illustrates how Fivetran connects to a destination using Azure Private Link:
Supported destinations
We support Azure Private Link for the following destinations:
- Azure Data Lake Storage
- Azure PostgreSQL Database
- Azure SQL Database
- Azure SQL Managed Instance
- Azure Synapse
- Databricks
- Generic MySQL
- Generic PostgreSQL
- Generic SQL Server
- MariaDB
- Snowflake
Prerequisites
To set up Azure Private Link, you need an Azure-hosted or Azure Virtual Machine-hosted destination in one of our supported regions.
Setup instructions for Azure-hosted destinations
Expand for instructions
The instructions in this section are not applicable to Azure Data Lake Storage, Azure Synapse, Databricks, and Snowflake destinations. To connect these destinations using Azure Private Link, see their setup guides.
- Verify that your destination supports Private Endpoint. For more information, see Microsoft documentation.
- Open a Fivetran support ticket and provide your Azure-hosted service’s fully-qualified resource ID, including the resource name and resource type of your destination.
- Wait to receive Private Endpoint request details from Fivetran. We create a Private Endpoint using your resource ID, type, and subresource. We then initiate a Private Link connection request as part of the Private Endpoint setup and share the details of that request with you.
- In the Azure Portal or CLI, verify and approve the Private Link connection request from Fivetran. Once you approve the request, Fivetran completes the Private Link setup for your Azure-hosted service.
Setup instructions for Azure Virtual Machine-hosted destinations
Expand for instructions
The instructions in this section are not applicable to Azure Data Lake Storage, Azure Synapse, Databricks, and Snowflake destinations. To connect these destinations using Azure Private Link, see their setup guides.
Depending on whether or not your destination already has an Azure Private Link Service, do one of the following:
- If your destination is already configured with a Private Link Service, follow the setup instructions for Azure-hosted destinations.
- If your destination does not have a Private Link Service, set up the service and then follow the setup instructions for Azure-hosted destinations. For more information about setting up a Private Link Service, see the Setup instructions for Private Link Service section of this documentation.
A single Azure Private Link Service can support one or multiple destinations at the same time with different ports mapped to corresponding destination IP addresses.
Prerequisites
To set up Private Link Service, you must do the following:
- Configure a VNet with access to your destination.
- Ensure that your destination is accessible from the VNet where the Private Link Service Load Balancer will run.
Setup instructions
In the VNet, create a Standard Load Balancer with a NIC-based backend pool that has access to your destination.
Configure a health probe and a load balancer rule with the ports that your destination will use. For more information, see Azure's documentation.
Create a Private Link Service associated with the Standard Load Balancer you created in step 1. For more information, see Azure's documentation.
Create one or more Virtual Machines and place them in the backend pool of the load balancer you created in step 1.
Enable IP forwarding on each of the backend Virtual Machine network interfaces. For more information about how to enable IP forwarding, see Azure's documentation.
For security reasons, ensure that no public IP addresses are configured for the Virtual Machines. Private Link connections use only private IP addresses.
Log in into each backend Virtual Machine of the Load Balancer and run the script below. The script configures Network Address Translation (NAT), which forwards network packets from SLB-backend Virtual Machines to your destination. The script also configures a single port forwarding. However, you can add additional sets of iptables
PREROUTINGandPOSTROUTINGrules for additional ports.#!/bin/bash # This script configures Network Address Translation to forward incoming packets # from the Azure Standard Load Balancer to IP-based destinations and route them # back. In this script, "destination" means a destination server that Fivetran connects to. # local port where Load Balancer sends traffic to SOURCE_PORT=<local_port> # destination server inside internal network DESTINATION_IP=<destination_server_ip_address> DESTINATION_PORT=<destination_server_port> # enable IP forwarding on host echo 1 > /proc/sys/net/ipv4/ip_forward # clear existing iptables rules and chains iptables -F iptables -t nat -F iptables -X # change the packet recipient from local to destination socket (host & port) iptables -t nat -A PREROUTING -p tcp --dport ${SOURCE_PORT} -j DNAT --to-destination ${DESTINATION_IP}:${DESTINATION_PORT} # change the source IP address from the LB NAT IP address to the IP of this LB-backend host iptables -t nat -A POSTROUTING -p tcp -d ${DESTINATION_IP} --dport ${DESTINATION_PORT} -j SNAT --to-source $(hostname -i)
For additional help, read Azure Private Link Service documentation or contact our support team.
Setup instructions for self-service Fivetran accounts Private Preview
Expand for instructions
The self-service functionality is only available for Azure-hosted destinations.
Find resource ID
- Verify that your destination supports Private Endpoint. For more information, see Microsoft’s documentation.
- Log in to the Azure portal and then go to your Azure-hosted service.
- Select your workspace and then go to Properties.
- Make a note of the Resource ID. You will need it to create the Private Link connection.
Configure Private Link connection
Log in to the Fivetran dashboard and go to the destination setup form.
In the Connection Method drop-down menu, select Connect via Private Networking.
Click + Configure a new PrivateLink connection.
Enter a Name for your Private Link connection.
In the PrivateLink Resource ID field, enter the resource ID you found in Step 1.
In the PrivateLink Subresource name drop-down menu, select the subresource corresponding to your resource type. The following table lists the subresources corresponding to each resource type:
Resource Type Subresource Azure SQL Managed Instance managedInstanceAzure SQL Database sqlServerAzure Blob Storage (Azure Storage) blob,dfsAzure Service Bus namespaceAzure PostgreSQL Database postgresqlServerAzure Cosmos DB sqlAzure Mongo DB MongoDBClick Create and save. Fivetran will raise a connection request in Azure.
It might take up to 10 minutes for us to raise the connection request.
Accept connection request
- Go to your Azure account.
- Go to Private Link Center > Pending connections.
- Select the connection request from Fivetran, and click Approve.
- In the pop-up window, confirm that you want to approve the connection request. Once Azure processes the request, a Connection created will appear in your destination setup form.
Postrequisites
To use Azure Private Link, you must do the following in the destination setup form:
- Select Azure as the Cloud service provider.
- Enter all the Azure Private Link Service ports mapped to destination IP addresses.