- Home
Admin portal
Network & Private DNS
Private by default.Loom backing services run with public network access disabled. The console reaches them over private endpoints + private DNS linked to the hub VNet. To reach them directly (Synapse Studio, SSMS, Storage Explorer,
az/REST) from your workstation, your VPN-connected machine must resolve each service FQDN to its private endpoint IP. Use the hosts override for a quick local fix, or wire the enterprise DNS below for everyone.CSA Loom network topology
A live resource-graph map of the whole network estate across the readable subscription(s): virtual networks → subnets → the private endpoints, NSGs, Azure Firewalls, Bastion hosts, Container Apps environments, application gateways and load balancers attached to each — plus vNet↔vNet peering and the private DNS zones. Select any node for its live ARM detail.Azure Resource Graph
Managed private endpoints
Create a private endpoint from the CSA Loom managed network to any Azure resource you can reach, so Loom compute connects to it privately. New endpoints land Pending until the target resource owner approves the connection — poll the state here after they approve.Azure-native · self-service
Backed by
Microsoft.Network/privateEndpoints in the managed network over ARM. Approval is a separate action the target resource owner performs (portal → the resource → Networking → Private endpoint connections → Approve). Loom registers the endpoint in the matching privatelink.* private DNS zone automatically (on create, retried on refresh after approval) so the FQDN resolves privately — a “DNS not registered” note means the zone is missing from the networking resource group. Tenant-admin only — private endpoints touch the shared landing-zone network.Trusted access (storage resource-instance rules)
Authorize a managed identity through a firewalled storage account’s network rules — the Azure-native equivalent of Fabric’s trusted workspace access. Adding an identity writes a real Azure-native · trusted workspace access
networkAcls.resourceAccessRules entry ({ tenantId, resourceId }) on the account over ARM, so that identity reaches the data even with the firewall default action set to Deny.Scopes the request + the workspace-identity option
Live ARM discovery — accounts the Console identity can read
Microsoft.Storage/storageAccounts PATCH of networkAcls.resourceAccessRules over ARM — the complete firewall object is read back and preserved on every update. Rules take effect when the account is “Enabled from selected networks” with default action Deny. Tenant-admin only — storage firewall rules govern shared landing-zone data.Enterprise / corporate DNS configuration
The durable fix: make your corporate DNS resolve every Azure private-link domain to the private IPs. Pick one of the patterns below. Both let any VPN-connected user reach the services by their normal public FQDN, with traffic staying on the private endpoints.1. Deploy an Azure DNS Private Resolver with an inbound endpoint in the hub VNet (the VNet the private DNS zones are linked to). Note its inbound IP.
2. Ensure every privatelink zone below is linked to that VNet (Loom’s bicep already links them to the hub).
3. On your corporate DNS servers (or Azure Firewall / forwarder), add a conditional forwarder for each public parent domain → the resolver inbound IP. Queries for
4. Route the resolver inbound IP over the VPN/ExpressRoute so on-prem clients can reach it.Conditional-forwarder domains
2. Ensure every privatelink zone below is linked to that VNet (Loom’s bicep already links them to the hub).
3. On your corporate DNS servers (or Azure Firewall / forwarder), add a conditional forwarder for each public parent domain → the resolver inbound IP. Queries for
*.privatelink.* then resolve to the private IPs automatically.4. Route the resolver inbound IP over the VPN/ExpressRoute so on-prem clients can reach it.Conditional-forwarder domains
(load the inventory to populate)
Synapse workspace — public access disabled
The Synapse workspace runs publicNetworkAccess: Disabled, with private endpoints for its Dev (*.dev.azuresynapse.net — Studio + artifact REST), SQL (dedicated pools) and SqlOnDemand (serverless) sub-resources, all registered in the privatelink.dev.azuresynapse.net / privatelink.sql.azuresynapse.net zones linked to the hub VNet.To reach Synapse Studio from your workstation, add the azuresynapse entries from the hosts block above (or configure the conditional forwarders) while on the VPN, then browse to web.azuresynapse.net. SQL tools (SSMS / sqlcmd) connect to the *.sql.azuresynapse.net endpoint the same way.VPN access (point-to-site)
Connect from your workstation to reach the private-by-default Azure backends — private endpoints, the Internal API Management gateway, and firewall-protected services (Databricks, AI Search, Synapse, Cosmos, Key Vault, Storage). Sign-in is your Microsoft Entra ID (no certificates).Virtual network (VNet) data gateway
Fabric tenant capability
Tenant-managed — Loom does not provision this.A VNet data gateway is enabled by a Fabric administrator (Power Platform admin center → Data → Virtual network data gateways → Manage gateway installers) and requires a Power BI/Fabric Premium capacity. CSA Loom cannot toggle that tenant switch or create the gateway. The supported Azure-native default for private connectivity is the private-endpoint plane shown above — no Fabric capacity, workspace, or gateway required.