Skip to main content

Configure outbound Azure Private Link

Outbound Azure Private Link enables Cognite Data Fusion (CDF) to make outbound connections to customer subscriptions over a private endpoint. Traffic between your virtual network and the services in CDF uses the Microsoft backbone network and isn't exposed to the public internet.

Currently this is only supported for outbound connections from hosted extractors in CDF to MQTT brokers in customer subscriptions. Outbound Private link for hosted extractors can be enabled only for those CDF projects for which private link is enabled.

Follow the steps in this article to set up a Private Link service.

Prerequisites

  1. The private link add-on purchased and part of the customer contract

  2. A network administrator, or infrastructure-as-code automation with permission to create Azure Private Link service resources.

Follow the Azure documentation to create a Private Link service and share the Private Link service alias with Cognite.

If you use Azure Eventgrid as MQTT broker, you don't need to set up a Private Link service, but share the Azure Eventgrid resource ID with Cognite. The resource ID has this format: /subscriptions/<subscription_id>/resourceGroups/<resourcegroup_name>/providers/Microsoft.EventGrid/namespaces/<eventgridns_name>.

Step 2: Approve the private endpoint request

Cognite will set up a private endpoint against the Private Link service alias/resource ID, and will provide you with the private IP address associated with the private endpoint. You need to approve the private endpoint request in the Azure portal.

The request will have the name NNN-outbound-plink-endpoint and the description Cognite Data Fusion (CDF) private endpoint.

Step 3: Set up DNS and share the hostname with Cognite

Create a DNS entry for the private IP provided by Cognite, configure TLS, and share the hostname with Cognite. The hosted extractors in CDF uses the hostname to connect to the MQTT broker. The hosted extractors uses the default MQTT ports for communication.

If the MQTT broker is an Azure Eventgrid namespace, follow the Azure documentation to configure a custom DNS and set up an A record to point to the above-mentioned private IP.