Governance Policies Azure Data Synapse Workspace - Azure/az-prototype GitHub Wiki

Synapse Workspace

Governance policies for Synapse Workspace

Domain: azure-data

Patterns

Name Description
Synapse Workspace with managed VNet and private endpoints Fully isolated Synapse workspace with CMK, managed VNet, and Entra auth

Anti-Patterns

Description Instead
Do not deploy Synapse without managed virtual network Enable managedVirtualNetwork to isolate Spark and pipeline traffic
Do not use SQL authentication for Synapse SQL pools Enable Entra-only authentication via azureADOnlyAuthentications

References

Checks (4)

Check Severity Description
AZ-SYN-001 Required Deploy Synapse Workspace with managed VNet, managed identity, and public access disabled
AZ-SYN-002 Required Configure Entra-only authentication for Synapse SQL pools
AZ-SYN-003 Required Create private endpoints for all Synapse endpoints (SQL, SqlOnDemand, Dev)
AZ-SYN-004 Recommended Enable diagnostic settings for Synapse workspace audit logs

AZ-SYN-001

Deploy Synapse Workspace with managed VNet, managed identity, and public access disabled

Severity: Required
Rationale: Managed VNet isolates Spark/pipeline traffic; managed identity eliminates credential management
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Synapse/workspaces

Companion Resources

Resource Name Purpose
Microsoft.Storage/storageAccounts st-synapse-datalake ADLS Gen2 storage account serving as the default data lake for Synapse
Microsoft.Network/privateEndpoints pe-synapse-sql, pe-synapse-sqlod, pe-synapse-dev Private endpoints for Synapse SQL, SqlOnDemand, and Dev endpoints
Microsoft.Network/privateDnsZones privatelink.sql.azuresynapse.net Private DNS zones for Synapse SQL, Dev, and workspace endpoint resolution
Microsoft.KeyVault/vaults kv-cmk Key Vault storing customer-managed encryption keys for Synapse workspace
Microsoft.Insights/diagnosticSettings diag-synapse Diagnostic settings routing RBAC, gateway, and pipeline logs to Log Analytics

AZ-SYN-002

Configure Entra-only authentication for Synapse SQL pools

Severity: Required
Rationale: SQL auth with passwords is less secure than Entra identity-based authentication
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Synapse/workspaces

Companion Resources

Resource Name Purpose
Microsoft.Synapse/workspaces/administrators activeDirectory Entra ID admin assignment for Synapse workspace SQL pools

AZ-SYN-003

Create private endpoints for all Synapse endpoints (SQL, SqlOnDemand, Dev)

Severity: Required
Rationale: Synapse has three endpoints that all need private connectivity for full isolation
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Synapse/workspaces

Companion Resources

Resource Name Purpose
Microsoft.Network/privateDnsZones privatelink.sql.azuresynapse.net Private DNS zone for Synapse SQL endpoint resolution
Microsoft.Network/privateDnsZones privatelink.dev.azuresynapse.net Private DNS zone for Synapse Dev (Studio) endpoint resolution
Microsoft.Network/privateDnsZones privatelink.azuresynapse.net Private DNS zone for Synapse workspace management endpoint resolution
Microsoft.Network/privateEndpoints/privateDnsZoneGroups default DNS zone group registering Synapse private endpoint DNS records

AZ-SYN-004

Enable diagnostic settings for Synapse workspace audit logs

Severity: Recommended
Rationale: Audit logs track user activities, SQL queries, and pipeline executions
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

  • Microsoft.Synapse/workspaces

Companion Resources

Resource Name Purpose
Microsoft.OperationalInsights/workspaces log-analytics Log Analytics workspace as destination for Synapse workspace diagnostic logs
⚠️ **GitHub.com Fallback** ⚠️