Governance Policies Azure Data Data Factory - Azure/az-prototype GitHub Wiki

Data Factory

Governance policies for Data Factory

Domain: azure-data

Patterns

Name Description
Data Factory with managed VNet and Key Vault integration Production ADF with managed IR, private endpoints, and Key Vault for secrets

Anti-Patterns

Description Instead
Do not store credentials in Data Factory linked service definitions Use Key Vault linked service with managed identity for all secrets
Do not use the public Azure IR for production data movement Configure managed virtual network integration runtime

References

Checks (4)

Check Severity Description
AZ-ADF-001 Required Deploy Data Factory with managed identity, managed VNet integration, and public access disabled
AZ-ADF-002 Required Configure managed virtual network for integration runtime
AZ-ADF-003 Required Use Key Vault linked service for all secrets and connection strings
AZ-ADF-004 Recommended Enable diagnostic settings for pipeline runs and activity logs

AZ-ADF-001

Deploy Data Factory with managed identity, managed VNet integration, and public access disabled

Severity: Required
Rationale: Managed VNet isolates integration runtime traffic; managed identity eliminates stored credentials
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.DataFactory/factories

Companion Resources

Resource Name Purpose
Microsoft.Network/privateEndpoints pe-adf Private endpoint for Data Factory data plane with groupId 'dataFactory'
Microsoft.Network/privateDnsZones privatelink.datafactory.azure.net Private DNS zone for Data Factory data plane endpoint resolution
Microsoft.Network/privateDnsZones privatelink.adf.azure.com Private DNS zone for Data Factory portal (authoring) endpoint resolution
Microsoft.DataFactory/factories/managedVirtualNetworks default Managed virtual network isolating integration runtime data movement traffic
Microsoft.DataFactory/factories/integrationRuntimes AutoResolveIntegrationRuntime Managed VNet integration runtime for secure data movement
Microsoft.Insights/diagnosticSettings diag-adf Diagnostic settings routing pipeline and activity logs to Log Analytics

AZ-ADF-002

Configure managed virtual network for integration runtime

Severity: Required
Rationale: Managed VNet ensures all data movement traffic stays within Azure backbone and supports managed private endpoints
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.DataFactory/factories

Companion Resources

Resource Name Purpose
Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints mpe-datasource Managed private endpoint connecting ADF integration runtime to data sources

AZ-ADF-003

Use Key Vault linked service for all secrets and connection strings

Severity: Required
Rationale: Storing credentials in ADF linked services is insecure; Key Vault centralizes secret management
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

  • Microsoft.DataFactory/factories

Companion Resources

Resource Name Purpose
Microsoft.KeyVault/vaults kv-secrets Key Vault storing secrets and connection strings referenced by ADF linked services

AZ-ADF-004

Enable diagnostic settings for pipeline runs and activity logs

Severity: Recommended
Rationale: Monitor pipeline execution, trigger events, and integration runtime status for operational insight
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

  • Microsoft.DataFactory/factories

Companion Resources

Resource Name Purpose
Microsoft.OperationalInsights/workspaces log-analytics Log Analytics workspace as destination for Data Factory diagnostic logs
⚠️ **GitHub.com Fallback** ⚠️