David Cousins on 28 Jun 2023 20:11:20
We need a way to stop data being exported, either intentionally or accidentally, by use of a data pipeline to an external source. The current implementation of ADF in Fabric means that you can use the Web activity or REST Connector in a copy activity and export data to seemingly any endpoint. We also can't stop users creating ADF pipelines in Fabric without disabling Fabric features completely.
Rather than go down the route of over complicating Fabric with vnets, a simple solution to this would be a tenant or capacity level toggle to deny external web access from Fabric but with a URL whitelist feature to allow certain domains to be accessed. Perhaps even an "allow Azure services" toggle so that Fabric can be allowed to communicate with Microsoft/Azure APIs and not require those to be added to the whitelist manually (because MS have a billion domains!)