We are announcing the deprecation of the feature of Virtual Network Injection for Azure Data Explorer. This feature allows customers to inject their Azure Data Explorer cluster into their own virtual network and control the inbound and outbound network traffic. However, this feature has limitations and challenges, such as:

Customers face a lot of maintenance work, because of things like updating firewall lists of FQDNs or using public IP addresses in a restricted and secured environment.
Customers are responsible for ensuring that the intra-cluster communication is working.
It requires a dedicated subnet for each cluster, which can lead to subnet exhaustion and increased management overhead.
It does not support cross-region or cross-subscription scenarios, which can limit the scalability and flexibility of the data platform.

Required actions

As a result, we are deprecating this feature and recommending customers to move as soon as possible to a private endpoint based network security architecture. A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. With private endpoints, you can:

Connect securely to Azure Data Explorer from your virtual network or from on-premises networks via VPN or ExpressRoute.
Access Azure Data Explorer from different regions or subscriptions without any public internet exposure.
Use all the Azure Data Explorer features without any limitations or trade-offs.
Reduce the network complexity and management overhead by using a single subnet for multiple clusters and services.

To help you with the migration, we have created a migration process (close to zero downtime).

We understand that this migration may require effort and coordination from your side, and we are here to support you along the way. We have scheduled office hours to answer your questions and provide guidance on the migration process. You can register for the office hours using this form. You can also reach out to us via email at ADXVnetDeprecation@microsoft.com.

Timelines

Please note the following important dates and actions regarding the migration:

Effective immediately, no new customers will be able to create virtual network injected clusters. Existing customers can continue to use their clusters until the migration deadline.
Starting from February 1, 2025, all running virtual network injected clusters will be stopped. Customers who have not migrated by then will not be able to start them until they complete the migration process.
To avoid any disruption, we strongly recommend that you migrate your clusters as soon as possible. You can follow the migration steps outlined in this document. If you encounter any issues or need assistance, please contact us at ADXVnetMigration@microsoft.com or join our office hours.

We appreciate your understanding and cooperation as we deprecate the Virtual Network Injection feature and move to a more secure, scalable, and feature-rich network security architecture for Azure Data Explorer.

​Microsoft Tech Community – Latest Blogs –Read More