• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Data connectivity & integrationPrivate links (VPC connectivity)Supported private link providersAzure Private link

    Azure Private Link

    Azure Private Link ↗ provides private connectivity to Foundry by ensuring that access to Foundry is through a private IP address. Note that Azure Private Link is an Microsoft service.

    Ingress to Foundry for Azure Private Link

    Traffic can occur from your non-Foundry virtual network (VNet) to the Foundry VNet using the Microsoft backbone network. Private Link traffic and open internet traffic to Foundry are supported at the same time by configuring additional IP whitelists using the Ingress Configuration in Control Panel.

    Set up ingress to Foundry for Azure Private Link

    1. Share your Azure Subscription ID with your Palantir representative. You can find the Azure Subscription ID in your Azure Portal ↗, as described in the Azure documentation for obtaining the Subscription ID ↗.
    2. Palantir will provide you with your Foundry enrollment's Private Link Alias ↗. The alias is usually in the following form: ingress-privatelink.<GUID>.<REGION>.azure.privatelinkservice.
    3. Create a new Private Endpoint in your Azure Portal ↗. The steps below follow the Azure guide for creating a Private Endpoint ↗.
    4. Choose Create new service, then select Private Endpoint, then select Create.
    5. Fill in the details of your resource group and name your private link, then select Next.
    6. Select Connect to an Azure resource by resource ID or alias. and fill in the Foundry instance's Private Link Alias that you received from Palantir previously, then choose Next.
    7. Choose your virtual network and subnet. In most cases, the Network policy for private endpoints setting should be disabled; see the Azure documentation ↗ for more information about this setting. The Application security group can be left empty.
    8. In the DNS section, private DNS integration can be kept as "disabled", unless a private DNS Zone to be used with the endpoint has already been set up. Private DNS integration can also be setup later, after the private endpoint has been created.
    9. Tags can be optionally added if you use them in your Azure environment. After optionally adding tags, select Review + create.
    10. You should see a Validation passed message at the top of the screen. If so, review the configuration and select Create to begin the deployment process.
    11. You should see a "Deployment complete" message when the deployment is finished; after deployment is complete, select Go to resource.
    12. In the private link overview, select Settings > Properties, then copy the "Resource ID" field and send it back to your Palantir representative. For example, the resource ID may look like: /subscriptions/<SUBSCRIPTION_UUID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Network/privateEndpoints/<PRIVATE_ENDPOINT_NAME>
    13. Create a DNS record to point the Foundry domain to the private link IP address. If needed, first create a Private DNS Zone connected to your resource group which contains the Private Link. Upon creation, it will be shown in the DNS Zone view. More information can be found in the Azure documentation for private endpoints DNS integration ↗.
    14. In the DNS zone, create an A-record pointing to the Private Link private IP (found in the Private Link DNS configuration section). Note that you can leave the Name field empty if your DNS zone already contains the full Foundry domain (such as <your-enrollment>.palantirfoundry.com). Otherwise, add a subdomain prefix to match the full Foundry domain.
    15. (Conditional) If the Foundry domain is owned by you (meaning that the domain is not a Palantir-owned domain such as *.palantirfoundry.com), there is additional configuration needed to funnel internal Foundry services through the endpoint as well, for which the steps are defined in the documentation on customer-owned domain private links.
    16. Refresh and clear your browser cache, and all traffic from your Azure VNet to Foundry will be routed through the private link instead of the public internet.

    Egress from Foundry for Azure Private Link

    Traffic that occurs from Foundry to other Azure VNets can also be configured to be routed through the Azure backbone instead of the public internet, as long as both the Foundry instance's VNet and the target VNet are in the same Azure region.

    Set up egress from Foundry for Azure Private Link

    Some Azure services support sending all traffic via the Azure backbone without extra Azure costs of using a custom Private Link, by using Azure gateways. The Azure services currently supported are:

    For private connectivity to all other Azure services or Azure VNets, an egress Private Link needs to be set up. Contact your Palantir representative for more information.