Merge pull request #298474 from lrtoyou1223/shirbranch30

Stacyrch140 · web-flow · commit 434d50fad2fb · 2025-04-18T10:52:43.000-04:00
Add a note for trusted service
diff --git a/articles/data-factory/create-self-hosted-integration-runtime.md b/articles/data-factory/create-self-hosted-integration-runtime.md
@@ -463,7 +463,7 @@ For some cloud databases, such as Azure SQL Database and Azure Data Lake, you mi
 
 
 
-### Self-contained interactive authoring (preview)
+### Self-contained interactive authoring
 In order to perform interactive authoring actions such as data preview and connection testing, the self-hosted integration runtime requires a connection to Azure Relay. If the connection isn't established, there are two possible solutions to ensure uninterrupted functionality. The first option is to add the Azure Relay endpoints to your firewall's allowlist [Get URL of Azure Relay](#get-url-of-azure-relay). Alternatively, you can enable self-contained interactive authoring.
 
 > [!NOTE]
diff --git a/articles/data-factory/data-access-strategies.md b/articles/data-factory/data-access-strategies.md
@@ -21,20 +21,35 @@ Typically a cloud data store controls access using the below mechanisms:
 * Authorization mechanisms that restrict users to specific actions and data
 
 > [!TIP]
-> With the [introduction of Static IP address range](./azure-integration-runtime-ip-addresses.md), you can now allow list IP ranges for the particular Azure integration runtime region to ensure you don’t have to allow all Azure IP addresses in your cloud data stores. This way, you can restrict the IP addresses that are permitted to access the data stores.
+> With the [introduction of Static IP address range](./azure-integration-runtime-ip-addresses.md), you can now allowlist IP ranges for the particular Azure integration runtime region to ensure you don’t have to allow all Azure IP addresses in your cloud data stores. This way, you can restrict the IP addresses that are permitted to access the data stores.
 
 > [!NOTE]
-> The IP address ranges are blocked for Azure Integration Runtime and is currently only used for Data Movement, pipeline and external activities. Dataflows and Azure Integration Runtime that enable Managed Virtual Network now do not use these IP ranges.
+> The IP address ranges are blocked for Azure Integration Runtime and are currently only used for Data Movement, pipeline and external activities. Dataflows and Azure Integration Runtime that enable Managed Virtual Network now don't use these IP ranges.
 
 This should work in many scenarios, and we do understand that a unique Static IP address per integration runtime would be desirable, but this wouldn't be possible using Azure Integration Runtime currently, which is serverless. If necessary, you can always set up a Self-hosted Integration Runtime and use your Static IP with it.
 
 ## Data access strategies through Azure Data Factory
 
-* **[Private Link](../private-link/private-link-overview.md)** - You can create an Azure Integration Runtime within Azure Data Factory Managed Virtual Network and it will leverage private endpoints to securely connect to supported data stores. Traffic between Managed Virtual Network and data sources travels the Microsoft backbone network and is not exposed to the public network.
-* **[Trusted Service](../storage/common/storage-network-security.md#exceptions)** - Azure Storage (Blob, ADLS Gen2) supports firewall configuration that enables select trusted Azure platform services to access the storage account securely. Trusted Services enforces Managed Identity authentication, which ensures no other data factory can connect to this storage unless approved to do so using it's managed identity. You can find more details in **[this blog](https://techcommunity.microsoft.com/t5/azure-data-factory/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure/ba-p/964993)**. Hence, this is extremely secure and recommended.
-* **Unique Static IP** - You will need to set up a self-hosted integration runtime to get a Static IP for Data Factory connectors. This mechanism ensures you can block access from all other IP addresses.
-* **[Static IP range](./azure-integration-runtime-ip-addresses.md)** - You can use Azure Integration Runtime's IP addresses to allow list it in your storage (say S3, Salesforce, etc.). It certainly restricts IP addresses that can connect to the data stores but also relies on Authentication/ Authorization rules.
-* **[Service Tag](../virtual-network/service-tags-overview.md)** - A service tag represents a group of IP address prefixes from a given Azure service (like Azure Data Factory). Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. It is useful when filtering data access on IaaS hosted data stores in Virtual Network.
+* **[Private Link](../private-link/private-link-overview.md)** - You can create an Azure Integration Runtime within Azure Data Factory Managed Virtual Network and it leverages private endpoints to securely connect to supported data stores. Traffic between Managed Virtual Network and data sources travels the Microsoft backbone network and isn't exposed to the public network.
+* **[Trusted Service](../storage/common/storage-network-security.md#exceptions)** - Azure Storage (Blob, ADLS Gen2) supports firewall configuration that enables select trusted Azure platform services to access the storage account securely. Trusted Services enforces Managed Identity authentication, which ensures no other data factory can connect to this storage unless approved to do so using it's managed identity. 
+<!-- You can find more details in **[this blog](https://techcommunity.microsoft.com/t5/azure-data-factory/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure/ba-p/964993)**. Hence, this is extremely secure and recommended. -->
+
+> [!NOTE]
+> Below scenarios aren't in the trusted services list:
+> 1. Using a self-hosted integration runtime or SSIS integration runtime
+> 2. Using any of the following activity types:
+     >     - Webhook
+     >     - Custom
+     >     - Azure Function
+> 3. Using any of the following connectors:
+     >     - AzureBatch
+     >     - AzureFunction
+     >     - AzureFile
+     >     - OData
+
+* **Unique Static IP** - You'll need to set up a self-hosted integration runtime to get a Static IP for Data Factory connectors. This mechanism ensures you can block access from all other IP addresses.
+* **[Static IP range](./azure-integration-runtime-ip-addresses.md)** - You can use Azure Integration Runtime's IP addresses to allowlist it in your storage (say S3, Salesforce, etc.). It certainly restricts IP addresses that can connect to the data stores but also relies on Authentication/ Authorization rules.
+* **[Service Tag](../virtual-network/service-tags-overview.md)** - A service tag represents a group of IP address prefixes from a given Azure service (like Azure Data Factory). Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. It's useful when filtering data access on IaaS hosted data stores in Virtual Network.
 * **Allow Azure Services** - Some services lets you allow all Azure services to connect to it in case you choose this option.
 
 For more information about supported network security mechanisms on data stores in Azure Integration Runtime and Self-hosted Integration Runtime, see below two tables.
@@ -67,12 +82,13 @@ For more information about supported network security mechanisms on data stores
     |                                | Azure Data Lake Gen1                                          | Yes       | -                   |
     |                                | Azure Database for   MariaDB, MySQL, PostgreSQL               | Yes       | -                   |
     |                                | Azure Files                                            | Yes       | -                   |
-    |                                | Azure Blob storage and ADLS Gen2                             | Yes       | Yes (MSI auth only) |
+    |                                | Azure Blob storage and ADLS Gen2                             | Yes       | - |
     |                                | Azure SQL DB, Azure Synapse Analytics), SQL   Ml          | Yes       | -                   |
-    |                                | Azure Key Vault (for   fetching secrets/   connection string) | Yes       | Yes                 |
+    |                                | Azure Key Vault (for   fetching secrets/   connection string) | Yes       | -                 |
     | Other PaaS/   SaaS Data stores | AWS   S3, SalesForce, Google Cloud Storage, etc.              | Yes       | -                   |
     | Azure laaS                     | SQL Server,   Oracle,   etc.                                  | Yes       | -                   |
-    | On-premise   laaS              | SQL Server,   Oracle,   etc.                                  | Yes       | -                   |
+    | On-premises   laaS              | SQL Server,   Oracle,   etc.                                  | Yes       | -                   |
+
 
 ## Related content
 
diff --git a/articles/data-factory/data-factory-private-link.md b/articles/data-factory/data-factory-private-link.md
@@ -51,7 +51,7 @@ Enabling Private Link for each of the preceding communication channels offers th
    - The command communications between the self-hosted IR and Data Factory can be performed securely in a private network environment. The traffic between the self-hosted IR and Data Factory goes through Private Link.
 - **Not currently supported**:
    - Interactive authoring that uses a self-hosted IR, such as test connection, browse folder list and table list, get schema, and preview data, goes through Private Link.
-   Please notice that the traffic goes through private link if the self-contained interactive authoring is enabled. See [Self-contained Interactive Authoring](create-self-hosted-integration-runtime.md#self-contained-interactive-authoring-preview).
+   Please notice that the traffic goes through private link if the self-contained interactive authoring is enabled. See [Self-contained Interactive Authoring](create-self-hosted-integration-runtime.md#self-contained-interactive-authoring).
 
    > [!NOTE]
    > Both "Get IP" and "Send log" are not supported when self-contained interactive authoring is enabled.
diff --git a/articles/data-factory/whats-new-archive.md b/articles/data-factory/whats-new-archive.md
@@ -47,7 +47,7 @@ Added support for metadata driven pipelines for dynamic full and incremental pro
 
 ### Integration runtime
 
-Self-hosted integration runtime now supports self-contained interactive authoring (Preview) [Learn more](create-self-hosted-integration-runtime.md?tabs=data-factory#self-contained-interactive-authoring-preview)
+Self-hosted integration runtime now supports self-contained interactive authoring (Preview) [Learn more](create-self-hosted-integration-runtime.md?tabs=data-factory#self-contained-interactive-authoring)
 
 ## July 2023
 
