How can I access the Synapse REST API from Spark notebooks in a Synapse workspace deployed with a private endpoint?

Question

How can I access the Synapse REST API from Spark notebooks in a Synapse workspace deployed with a private endpoint?

Kartik Rana 21

I'm trying to access the Synapse REST API from Spark notebooks in my Synapse workspace, which is deployed with a private endpoint and has public network access disabled. When I attempt to call the API from within a notebook, I get the following error:

PublicNetworkAccessDenied

However, if I run the same code locally while connected to our corporate VPN, it works without any issues.

Just to clarify, the private endpoint setup generally works as expected. For example:

I need to be connected to the VPN to even load items in the Synapse Studio.

Data exports from the serverless SQL pool to Power BI also work seamlessly through the private endpoint.

So, the private networking seems correctly configured and is functioning well for most services.

The issue arises only when trying to access the Synapse REST API from Spark notebooks.

How can I configure my environment to allow REST API calls from within Spark notebooks to route through the private endpoint as well?

Note: I need a solution where I don't have to use the Web activity in a pipeline

Deepanshukatara-6769 15,275 Reputation points

2025-04-24T06:57:24.5733333+00:00
Hello , Welcome to MS Q&A

To enable private access to an Azure Synapse workspace via REST calls using Managed Private Endpoints and Private DNS, you'll first configure a Managed Private Endpoint within your Synapse workspace, which creates a private IP address in your Managed Virtual Network. Then, you'll integrate this endpoint with a private DNS zone to ensure that your application uses the private IP for communication. This setup allows secure, private access to your Synapse workspace without exposing it to the public internet.

Here's a more detailed breakdown:

1. Enable Managed Virtual Network: If your Synapse workspace doesn't already have a Managed Virtual Network, ensure you enable it. This is a prerequisite for using Managed Private Endpoints.

2. Create a Managed Private Endpoint:

Open your Azure Synapse workspace in the Azure portal.

Navigate to the Managed private endpoints section within the Manage tab.

Create a new Managed private endpoint, specifying the target resource (e.g., Azure Storage, Azure Cosmos DB, etc.).

The endpoint will be assigned a private IP address within your Managed Virtual Network.

3. Configure Private DNS Integration:

In your Synapse workspace's settings, locate the "Private endpoint connections" section under "Security".

For each private endpoint connection, select "Integrate with private DNS zone" to link it to your existing or new private DNS zone.

This will ensure that your application uses the private IP address when resolving the FQDN of your Synapse workspace.

4. Update DNS settings:

You'll need to update your DNS settings to resolve the FQDN of your Synapse workspace to the private IP address of the Managed Private Endpoint.

This can be done using Private DNS Zones, Azure Private Resolver, or by modifying the host file (for testing).

5. Test the connection:

Use a REST client (like Postman or the curl command) to make requests to your Synapse workspace, ensuring that the connection is using the private IP address and DNS records.

Pls check this link for ref -->https://docs.azure.cn/en-us/synapse-analytics/security/how-to-connect-to-workspace-with-private-links

Kindly let us know if any further ques

Pls accept if it helps

Thanks

Deepanshu
Kartik Rana 21 Reputation points

2025-04-24T10:20:10.31+00:00

I think I need to clarify a bit. The issue isn't that I can't access the REST API through the private endpoint. I do have a private endpoint configured, and when I use Postman or python code from my local machine while connected to our corporate VPN, I can access the API without any problems. The issue only arises when I try to access the API from a Spark notebook inside Synapse, it throws an error saying, 'Public Access Disabled'.

Also, if I am connected to the corporate VPN and do

nslookup myworkspace.dev.azuresynapse.com in my laptop, it resolves to the proper private ip.

Edit: I am trying to access the same Synapse workspace through the REST API from within that Synapse environment itself.
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-28T01:12:12.6933333+00:00

@Kartik Rana

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Ruach Nephesh 0 Reputation points

2025-04-28T01:34:24.52+00:00

When Synapse is deployed with private endpoint and public network access disabled, the REST API must be accessed through a self-hosted integration runtime or from a compute that is also inside the same Virtual Network.

External internet access will not work.

You need to use a Virtual Network integrated client or private DNS resolution.

Although the Synapse workspace itself is private, Spark pools inside Synapse still reach out to the Synapse control plane (*.dev.azuresynapse.net) over public endpoints by design. When public network access is disabled, these calls are blocked even internally. Currently, the recommended solutions are to either use a self-hosted integration runtime inside the same Virtual Network, or route the API call through a Virtual Network-integrated service such as an Azure Function or Logic App. Direct REST API access from within Spark notebooks is not supported under these restrictions.

(Reference: Azure Synapse Analytics connectivity settings)
Kartik Rana 21 Reputation points

2025-04-28T10:18:39.9166667+00:00

I guess we can close this, since there's currently no way to do this from a notebook. I'll try to perform the operation using Logic Apps, as suggested.

Also, is this something that might be supported in the future?
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-29T01:06:40.2966667+00:00

@Kartik Rana

Is this something that might be supported in the future?

Appreciate if you could share the feedback on our feedback channel. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

https://feedback.azure.com/d365community

Hope this helps!
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-30T04:27:34.55+00:00

@Kartik Rana

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Kartik Rana 21 Reputation points

2025-04-24T10:20:10.31+00:00

I think I need to clarify a bit. The issue isn't that I can't access the REST API through the private endpoint. I do have a private endpoint configured, and when I use Postman or python code from my local machine while connected to our corporate VPN, I can access the API without any problems. The issue only arises when I try to access the API from a Spark notebook inside Synapse, it throws an error saying, 'Public Access Disabled'.

Also, if I am connected to the corporate VPN and do

nslookup myworkspace.dev.azuresynapse.com in my laptop, it resolves to the proper private ip.

Edit: I am trying to access the same Synapse workspace through the REST API from within that Synapse environment itself.
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-28T01:12:12.6933333+00:00

@Kartik Rana

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Ruach Nephesh 0 Reputation points

2025-04-28T01:34:24.52+00:00

When Synapse is deployed with private endpoint and public network access disabled, the REST API must be accessed through a self-hosted integration runtime or from a compute that is also inside the same Virtual Network.

External internet access will not work.

You need to use a Virtual Network integrated client or private DNS resolution.

Although the Synapse workspace itself is private, Spark pools inside Synapse still reach out to the Synapse control plane (*.dev.azuresynapse.net) over public endpoints by design. When public network access is disabled, these calls are blocked even internally. Currently, the recommended solutions are to either use a self-hosted integration runtime inside the same Virtual Network, or route the API call through a Virtual Network-integrated service such as an Azure Function or Logic App. Direct REST API access from within Spark notebooks is not supported under these restrictions.

(Reference: Azure Synapse Analytics connectivity settings)
Kartik Rana 21 Reputation points

2025-04-28T10:18:39.9166667+00:00

I guess we can close this, since there's currently no way to do this from a notebook. I'll try to perform the operation using Logic Apps, as suggested.

Also, is this something that might be supported in the future?
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-29T01:06:40.2966667+00:00

@Kartik Rana

Is this something that might be supported in the future?

Appreciate if you could share the feedback on our feedback channel. Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

https://feedback.azure.com/d365community

Hope this helps!
Ganesh Gurram 6,460 Reputation points Microsoft External Staff

2025-04-30T04:27:34.55+00:00

@Kartik Rana

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

@Kartik Rana

According to this MS documentation: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/connectivity-settings?tabs=workspace

"When Public network access is set to Disable, only connections from private endpoints are allowed. All connections from public endpoints will be denied with an error message similar to: PublicNetworkAccessDenied."

Based on your setup and the error message you're receiving, the behavior you're experiencing is expected and is documented in Azure Synapse Analytics connectivity settings.

When public network access is disabled on your Synapse workspace, only private endpoint traffic is allowed, and any requests made to public endpoints (including from Spark notebooks within the same workspace) are denied. This is why your REST API call from inside the Spark notebook fails with the PublicNetworkAccessDenied error.

Although the Spark notebook is running within the Synapse workspace, REST API calls to *.dev.azuresynapse.net (which is part of the control plane) are still routed through the public endpoint. Since public access is disabled, these calls are blocked.

Recommended approach:

Web Activity in Synapse Pipelines (preferred method) - Although you prefer not to use this, it's worth mentioning that this is the recommended and supported method for invoking REST APIs from within Synapse in a secure and private way.
Azure Function or Logic App (in same VNet) - Deploy a small Azure Function or Logic App within your private network. It can securely call the Synapse REST API using a managed identity and be triggered from your notebook or other services.

Unfortunately, calling the Synapse REST API directly from Spark notebooks in a workspace with public network access disabled is currently not supported due to these network routing restrictions.

For more details refer: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/connectivity-settings?tabs=workspace

I hope this information helps.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Share via

How can I access the Synapse REST API from Spark notebooks in a Synapse workspace deployed with a private endpoint?

1 answer

Your answer