Edit

Share via

Access a lakehouse in an inbound restricted workspace from a notebook in an open workspace

A managed private endpoint can be used to establish cross-workspace communication between an open workspace and a workspace that restricts inbound public access. For example, if you want to access a lakehouse in an inbound restricted workspace from a notebook in an open workspace, you can set up a managed private endpoint (MPE) to establish a secure connection between the two workspaces.

Diagram illustrating how managed private endpoints can establish connection to a workspace set to deny public access.

In this diagram, the open workspace (Workspace 1) has a managed private endpoint that connects to the restricted workspace (Workspace 2). This setup allows the notebook in Workspace 1 to securely access the lakehouse and read Delta tables in Workspace 2 without exposing them to public access.

This article explains how to create a managed private endpoint via the workspace settings in the Fabric portal or API.

Step 1: Create the workspaces

Create workspaces in Fabric. This setup involves both an open workspace and a restricted workspace. In this article, the workspaces are referred to as follows:

  • The source workspace is the open workspace without public access restriction.
  • The target workspace is the workspace that restricts inbound public access.

Note

This article refers to the workspace fully qualified domain name (FQDN). The format is:

https://{workspaceID}.z{xy}.w.api.fabric.microsoft.com

Where the {workspaceID} is the workspace ID without dashes, and {xy} is the first two letters of the workspace object ID (see also Connecting to workspaces).

You can find a workspace ID by opening the workspace page in the Fabric portal and noting the ID after "groups/" in the URL. You can also find a workspace FQDN using List workspace or Get workspace in the API.

Step 2: Create a managed private endpoint

Create a managed private endpoint (MPE) in the source (open) workspace. Use the Workspace setting in the portal or the following API:

POST https://{workspaceFQDN}/v1/workspaces/{workspaceID}/managedPrivateEndpoints

Where {workspaceFQDN} is {workspaceID}.z{xy}.w.api.fabric.microsoft.com

For example: POST https://aaaaaaaa000011112222bbbbbbbbbbbb.zaa.w.api.fabric.microsoft.com/v1/workspaces/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/managedPrivateEndpoints

The targetPrivateLinkResourceId is the resource ID of the private link in the restricted workspace. To create a managed private endpoint to the target workspace, you need the private link service Resource ID of the target workspace.

Screenshot showing the create MPE API.

You can find this Resource ID in Azure by viewing the Resource JSON for the workspace. Ensure that the workspace ID in the JSON matches the intended target workspace.

Screenshot showing how to get the private link resource ID in the resource json file.

The private link service owner for Workspace 2 needs to approve the managed private endpoint request in Azure private link center > Pending connections.

Step 3: Create a lakehouse in the restricted workspace

Create a lakehouse in the target (restricted) workspace by using the following Create Lakehouse API:

POST https://{workspaceFQDN}/v1/workspaces/{workspaceID}/lakehouses

Where {workspaceFQDN} is {workspaceID}.z{xy}.w.api.fabric.microsoft.com

For example: POST https://aaaaaaaa000011112222bbbbbbbbbbbb.zaa.w.api.fabric.microsoft.com/v1/workspaces/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/lakehouses

Screenshot showing creating a lakehouse in the target workspace.

Step 4: Upload a Delta Table to the lakehouse

Use Azure Storage Explorer to upload your Delta Table folder into the restricted lakehouse's managed storage.

  1. Go to Azure Storage Explorer, select the connection icon in the left menu, and then select ADLS Gen2 container or directory.

  2. Sign in using OAuth.

  3. Enter a display name for the storage and enter the blob container URL in the following format:

    https://{workspaceFQDN}/{workspaceID}/{lakehouseID}

    where {workspaceFQDN} is {workspaceID}.z{xy}.onelake.fabric.microsoft.com

    For example: POST https://aaaaaaaa000011112222bbbbbbbbbbbb.zaa.w.api.fabric.microsoft.com/v1/workspaces/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/bbbbbbbb-1111-2222-3333-cccccccccccc

    Screenshot showing entering the connection info.

  4. Select Connect. The storage should now be displayed in the explorer view.

  5. Under the Tables folder, upload the Delta table you want to use. This example uses the customers table.

    Screenshot showing the upload folder option.

Step 5: Create a notebook in the source workspace

Create a notebook and connect it to the restricted lakehouse as follows:

  1. In the source workspace, go to Notebooks.

  2. Select + New Notebook. 

  3. Select the Spark runtime. 

  4. Connect to the target workspace in the Explorer pane.

  5. Paste the following code:

    from pyspark.sql import SparkSession
# Read Delta table from the restricted lakehouse using Workspace DNS-based ABFSS URI
df = spark.read.format("delta").load(
   "abfss://{WorkspaceID}@{WorkspaceFQDN}/{LakehouseID}/Tables/customers"
)

    Make sure that:

    • The ABFSS path matches your lakehouse's DNS and table location.
    • Network access between the open and restricted workspaces is correctly established via the private endpoint.

  6. Run the Notebook. If the private endpoint and permissions are correctly set up, the notebook connects and displays the contents of the Delta table from the restricted lakehouse.

Related content