Azure Private Link¶
Azure Private Link ↗ provides private connectivity to Foundry by ensuring that access to Foundry is through a private IP address. Azure Private Link supports connections between different virtual network (VNet) regions. Note that Azure Private Link is a Microsoft service.
Choosing between ingress, egress, or both¶
Before setting up Azure Private Link, you need to determine which type of private connectivity your use case requires.
Ingress refers to traffic flowing into Foundry from your network. For example, a Data Connection agent in your VNet connecting back to Foundry, or users accessing the Foundry UI from a private network.
Egress refers to traffic flowing out of Foundry to resources in your environment. For example, Foundry syncing data from an Azure SQL Database or other VNet-hosted service. The two directions serve different purposes and each requires a separate setup.
If your data source is Azure Blob Storage or Azure Data Lake Storage Gen2, you may not need a Private Link at all. Azure Storage network policies are self-serve and can be configured directly in Control Panel. Only set up an egress Private Link for Azure Storage if your organization specifically requires it and cannot allowlist VNet subnets via storage policies.
Your environment may involve multiple use cases, each requiring either ingress or egress connectivity. Ingress and egress are independent setups and can be configured separately or together. Refer to the relevant sections below for setup steps for each.
Ingress to Foundry for Azure Private Link¶
Traffic can occur from your non-Foundry virtual network (VNet) to the Foundry VNet using the Microsoft backbone network. Private Link traffic and open Internet traffic to Foundry are supported at the same time by configuring additional IP whitelists using the Ingress Configuration in Control Panel.
Set up ingress to Foundry for Azure Private Link¶
- Share your Azure Subscription ID with your Palantir representative. You can find the Azure Subscription ID in your Azure Portal ↗, as described in the Azure documentation for obtaining the Subscription ID ↗.
- Palantir will provide you with your Foundry enrollment's Private Link Alias ↗. The alias is usually in the following form:
ingress-privatelink.<GUID>.<REGION>.azure.privatelinkservice. - Create a new Private Endpoint in your Azure Portal ↗. The steps below follow the Azure guide for creating a Private Endpoint ↗.
- Choose Create new service, then select Private Endpoint, then select Create.
- Fill in the details of your resource group and name your private link, then select Next.
- Select Connect to an Azure resource by resource ID or alias. and fill in the Foundry instance's Private Link Alias that you received from Palantir previously, then choose Next.
- Choose your virtual network and subnet. In most cases, the Network policy for private endpoints setting should be disabled; see the Azure documentation ↗ for more information about this setting. The Application security group can be left empty.
- In the DNS section, private DNS integration can be kept as "disabled", unless a private DNS Zone to be used with the endpoint has already been set up. Private DNS integration can also be setup later, after the private endpoint has been created.
- Tags can be optionally added if you use them in your Azure environment. After optionally adding tags, select Review + create.
- You should see a Validation passed message at the top of the screen. If so, review the configuration and select Create to begin the deployment process.
- You should see a "Deployment complete" message when the deployment is finished; after deployment is complete, select Go to resource.
- In the private link overview, select Settings > Properties, then copy the "Resource ID" field and send it back to your Palantir representative. For example, the resource ID may look like:
/subscriptions/<SUBSCRIPTION_UUID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Network/privateEndpoints/<PRIVATE_ENDPOINT_NAME> - Create a DNS record to point the Foundry domain to the private link IP address. If needed, first create a Private DNS Zone connected to your resource group which contains the Private Link. Upon creation, it will be shown in the DNS Zone view. More information can be found in the Azure documentation for private endpoints DNS integration ↗.
- In the DNS zone, create an A-record pointing to the Private Link private IP (found in the Private Link DNS configuration section). Note that you can leave the Name field empty if your DNS zone already contains the full Foundry domain (such as
<your-enrollment>.palantirfoundry.com). Otherwise, add a subdomain prefix to match the full Foundry domain. - (Conditional) If the Foundry domain is owned by you (meaning that the domain is not a Palantir-owned domain such as
*.palantirfoundry.com), there is additional configuration needed to funnel internal Foundry services through the endpoint as well, for which the steps are defined in the documentation on customer-owned domain private links. - Refresh and clear your browser cache, and all traffic from your Azure VNet to Foundry will be routed through the private link instead of the public Internet.
Egress from Foundry for Azure Private Link¶
Traffic that occurs from Foundry to other Azure VNets can be configured to be routed through the Azure backbone instead of the public Internet, regardless of whether the Foundry instance's VNet and the target VNet are in the same or different Azure regions.
Set up egress from Foundry for Azure Private Link¶
For instructions on setting up egress from Foundry for Azure Private Link, see the documentation on configuring Private Link egress for Azure.
Some Azure services support sending all traffic via the Azure backbone without extra Azure costs of using a custom Private Link, by using Azure gateways. The Azure services currently supported are:
- Azure Storage: This is self-serve in Palantir Foundry by creating an Azure Storage policy, as described in the documentation on Azure storage policies.
For private connectivity to all other Azure services or Azure VNets that require an egress Private Link setup, refer to the documentation on configuring Private Link egress for Azure.
中文翻译¶
Azure Private Link¶
Azure Private Link ↗ 通过确保对 Foundry 的访问使用私有 IP 地址,提供与 Foundry 的私有连接。Azure Private Link 支持不同虚拟网络(VNet,virtual network)区域之间的连接。请注意,Azure Private Link 是一项微软服务。
选择入站、出站或两者兼用¶
在设置 Azure Private Link 之前,您需要确定您的用例需要哪种类型的私有连接。
入站(Ingress)指从您的网络流入 Foundry 的流量。例如,您 VNet 中的数据连接代理(Data Connection agent)回连到 Foundry,或用户从私有网络访问 Foundry UI。
出站(Egress)指从 Foundry 流出到您环境中资源的流量。例如,Foundry 从 Azure SQL 数据库或其他 VNet 托管的服务同步数据。这两个方向服务于不同的目的,每个方向都需要单独设置。
如果您的数据源是 Azure Blob Storage 或 Azure Data Lake Storage Gen2,您可能完全不需要 Private Link。Azure 存储网络策略是自助式的,可以直接在控制面板(Control Panel)中配置。仅当您的组织特别要求且无法通过存储策略将 VNet 子网加入白名单时,才需要为 Azure 存储设置出站 Private Link。
您的环境可能涉及多个用例,每个用例可能需要入站或出站连接。入站和出站是独立的设置,可以单独配置或同时配置。请参考以下各节了解各自的设置步骤。
面向 Azure Private Link 的 Foundry 入站¶
流量可以从您的非 Foundry 虚拟网络(VNet)通过微软骨干网络流向 Foundry VNet。通过使用控制面板中的入站配置配置额外的 IP 白名单,可以同时支持通过 Private Link 的流量和通过开放互联网访问 Foundry 的流量。
设置面向 Azure Private Link 的 Foundry 入站¶
- 将您的 Azure 订阅 ID(Azure Subscription ID)分享给您的 Palantir 代表。您可以在 Azure 门户 ↗ 中找到 Azure 订阅 ID,具体方法请参见 Azure 文档中关于获取订阅 ID 的说明 ↗。
- Palantir 将向您提供您的 Foundry 注册的 Private Link 别名 ↗。该别名通常采用以下形式:
ingress-privatelink.<GUID>.<REGION>.azure.privatelinkservice。 - 在您的 Azure 门户 ↗ 中创建新的私有端点(Private Endpoint)。以下步骤遵循 Azure 创建私有端点的指南 ↗。
- 选择 Create new service,然后选择 Private Endpoint,再选择 Create。
- 填写资源组(resource group)的详细信息并为您的私有链接命名,然后选择 Next。
- 选择 Connect to an Azure resource by resource ID or alias.,并填写您之前从 Palantir 收到的 Foundry 实例的 Private Link 别名,然后选择 Next。
- 选择您的虚拟网络和子网。在大多数情况下,Network policy for private endpoints 设置应禁用;有关此设置的更多信息,请参见 Azure 文档 ↗。Application security group 可以留空。
- 在 DNS 部分,私有 DNS 集成(private DNS integration)可以保持为"禁用",除非已经设置了要与端点一起使用的私有 DNS 区域。私有 DNS 集成也可以在创建私有端点之后再进行设置。
- 如果您在 Azure 环境中使用标签(tags),可以选择添加标签。在可选地添加标签后,选择 Review + create。
- 您应该在屏幕顶部看到 Validation passed 消息。如果是,请检查配置并选择 Create 开始部署过程。
- 部署完成后,您应该看到"Deployment complete"消息;部署完成后,选择 Go to resource。
- 在私有链接概览中,选择 Settings > Properties,然后复制"Resource ID"字段并将其发送回您的 Palantir 代表。例如,资源 ID 可能如下所示:
/subscriptions/<SUBSCRIPTION_UUID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Network/privateEndpoints/<PRIVATE_ENDPOINT_NAME> - 创建一条 DNS 记录,将 Foundry 域名指向私有链接 IP 地址。如果需要,首先创建一个连接到包含 Private Link 的资源组的私有 DNS 区域。创建后,它将在 DNS 区域视图中显示。更多信息请参见 Azure 关于私有端点 DNS 集成的文档 ↗。
- 在 DNS 区域中,创建一条指向 Private Link 私有 IP(可在 Private Link 的 DNS configuration 部分找到)的 A 记录。请注意,如果您的 DNS 区域已包含完整的 Foundry 域名(例如
<your-enrollment>.palantirfoundry.com),则可以将 Name 字段留空。否则,添加一个子域名前缀以匹配完整的 Foundry 域名。 - (条件性)如果 Foundry 域名归您所有(即该域名不是 Palantir 拥有的域名,如
*.palantirfoundry.com),则还需要额外配置以将内部 Foundry 服务也通过端点路由,相关步骤在客户自有域名私有链接的文档中定义。 - 刷新并清除浏览器缓存,从您的 Azure VNet 到 Foundry 的所有流量将通过私有链接而非公共互联网进行路由。
面向 Azure Private Link 的 Foundry 出站¶
从 Foundry 到其他 Azure VNet 的流量可以配置为通过 Azure 骨干网络而非公共互联网进行路由,无论 Foundry 实例的 VNet 与目标 VNet 是否位于同一 Azure 区域。
设置面向 Azure Private Link 的 Foundry 出站¶
有关设置面向 Azure Private Link 的 Foundry 出站的说明,请参见配置 Azure Private Link 出站的文档。
某些 Azure 服务支持通过 Azure 网关将所有流量经由 Azure 骨干网络发送,而无需使用自定义 Private Link 产生的额外 Azure 成本。目前支持的 Azure 服务包括:
- Azure 存储: 在 Palantir Foundry 中,通过创建 Azure 存储策略(Azure Storage policy)即可自助完成,具体说明请参见 Azure 存储策略文档。
对于需要出站 Private Link 设置的所有其他 Azure 服务或 Azure VNet 的私有连接,请参考配置 Azure Private Link 出站的文档。