Securing outbound traffic with Azure Data Factory's outbound network rules

Hi,

I am trying to get line of sight on when this policy will move from Preview to Generally Available?  Its been more than a year since original post. 

Thanks

M

Abhishek Narain Mayank_Bansal Thank you for showcasing the new feature. Do you have an indication on when this preview will be rolled out to be used in an ARM/BICEP template? 

Thank you in advance. 

Does the ability to enable/disable the outbound rule feature, map to an action within the Microsoft.DataFactory resource provider ?

We would like to enable the feature but our users are generally ADF contributors of their own subscriptions, so from what I understand, we can enable Azure policy containing the allowed FQDNS on their Sub/Resource group/ADF, but then its optional to enable or disable the setting inside the ADF portal. 

If users are contributors, they could enable/disable the feature to get around the restriction. 

I was thinking a custom RBAC policy would do it, containing most of the contributor roles, but disalowing the enable/disablement of the feature.... but cant see anything in the list of published actions that might be one we wanted to restrict. 

shaunsatt we don't cache the evaluation results today, so each request is checked against policy
As you can see the throttling is applied at two levels, at subscription & at resource (Data Factory), & if the resource hits it's limit then it will get throttled, meaning even if you only have 1 subscription, & only 1 Data Factory, then the effective throttling for your data factory is 1000 request / 5mins
However if you have 1 subscription, & 10 Data Factory, then for each Data Factory you would have 1000 requests / 5mins. 

Mayank_Bansal This works as expected now, thank you.

With regards to your throttling limits, is there any caching involved or is each request checked against Policy, also if I have only 1 ADF in a subscription can it consume 50,000 requests / 5 minutes or is it limited to the 1000 limit?

shaunsatt we have deployed the fix to all regions, could you please give it another try & let us know if that solved the issue for you?

shaunsatt we have identified a bug & are working on releasing the fix. It will be fixed by 15th June EOD PST

Abhishek Narain I have setup 2 linked services, 1 to a source storage account the other to a destination storage account. Copying a file from one to the other using managed identities works fine when not enabled. Then when I enable outbound rules and copy the FQDN's of both storage accounts to the policy in an array I get a DENY error message for both storage accounts within ADF saying it's unauthorised.

"Connector or activity name: blob_destination, connector or activity type: AzureBlobStorage, error: Calling partner RP EvaluatePolicyAsync returned an invalid status code 'Unauthorized', ReasonPhrase Unauthorized"]'

shaunsatt you need to provide the exact FQDN used in the linked service. It does not support regex yet; hence, it must be the exact FQDN, not just the domain. 
Also, if there is any other policy applied at the same or higher levels (say another assignment at the resource group level or subscription or management group level, then all policies should allow the same FQDNs).
Let me know if you still face the problem.

Abhishek Narain is there some nuance to this as I am unable to get it working, as soon as I enable Outbound rules using Azure Policy in ADF it blocks everything even if there is no policy, with policy but disabled and with FQDN entries in the policy. Can it take specific FQDN's rather than just a domain name?