Documentation Experience Platform Destinations Guide

Private Link for Azure destinations

Last update: June 17, 2026

Topics:
Destinations

CREATED FOR:

Admin
User

Azure Private Link lets you route data exports from Adobe Experience Platform to your Azure resources over private IP addresses on the Microsoft Azure backbone, instead of over the public internet. Your activation data never traverses public infrastructure.

Adobe creates and manages a Private Endpoint in an Adobe-owned virtual network (VNet) that points to your Azure resource. When Azure brokers the connection request, you approve it from your Azure portal. After approval, all activation traffic for that resource routes through the private endpoint.

IMPORTANT

Azure Private Link for destinations has no self-service UI. To request setup, contact your Adobe account manager. Allow up to five business days for Adobe to provision the endpoint after you submit your request.

Supported destinations supported-destinations

Azure Private Link is supported for the following destinations:

Prerequisites prerequisites

Azure Private Link for destinations requires one of the following entitlements:

Adobe Healthcare Shield
Adobe Privacy & Security Shield

How Azure Private Link works how-it-works

Adobe Experience Platform maintains a dedicated Private Connectivity Hub VNet. When you request Private Link setup, Adobe provisions a Private Endpoint in this VNet that targets your Azure resource. Azure then brokers a pending approval request to you.

After you approve the request in your Azure portal, all existing and new destination dataflows for that resource route through the private endpoint over the Microsoft Azure backbone.

The private routing is transparent to your existing destination configuration in Experience Platform. You do not need to update hostnames, credentials, or any other destination settings after the Private Endpoint is approved.

If you disable Private Link, traffic is automatically routed through the public internet. Existing dataflows continue without interruption.

Guardrails guardrails

The following limits apply to Azure Private Link for destinations.

Guardrail

Limit

Production sandbox endpoints

Maximum of 10 endpoints per organization, across all Azure destination types (Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Event Hubs)

Development sandbox endpoints

Maximum of 1 endpoint per organization

Request Private Link setup request-setup

There is currently no UI that allows you to set up Private Link connections for destinations in a self-service mode. Contact your Adobe account manager to request Private Link configuration and provide the following information, depending on the destination that you are setting up the private link connection for.

Azure Event Hubs request-setup-event-hubs

Azure Resource ID of your Event Hubs namespace
The fully qualified domain name (FQDN) of your Event Hubs namespace (for example, <namespace>.servicebus.windows.net)
Azure region (align with your Experience Platform data region for best performance)

TIP

If you already have a Private Endpoint for Azure Event Hubs set up for an Experience Platform source, that endpoint can also be used for destinations. You do not need to provision a separate endpoint. See Private Link support for sources for more information.

Azure Blob Storage request-setup-blob

Azure Resource ID of your storage account
The fully qualified domain name (FQDN) of your storage account (for example, <account>.blob.core.windows.net)
Whether you need a Blob endpoint, a DFS endpoint, or both
Azure region (align with your Experience Platform data region for best performance)

Azure Data Lake Storage Gen2 request-setup-adls

Azure Resource ID of your storage account
The fully qualified domain name (FQDN) of your storage account (for example, <account>.dfs.core.windows.net)
Whether you need a Blob endpoint, a DFS endpoint, or both
Azure region (align with your Experience Platform data region for best performance)

Adobe creates the Private Endpoint and notifies you when the approval request is available in your Azure portal.

Approve the Private Endpoint approve-private-endpoint

After Adobe creates the Private Endpoint, a pending approval request appears in your Azure portal. To approve it:

In your Azure portal, go to the resource you shared with Adobe: your Event Hubs namespace, Blob Storage account, or Data Lake Storage Gen2 account.
In the left navigation, select Security + networking, then select Networking.
Select Private endpoints to see a list of private endpoints associated with your account and their current connection states.
Locate the pending connection from Adobe and select Approve.

The Azure portal showing a list of pending private endpoints awaiting approval.

Within minutes, all existing and new destination dataflows for that resource route over the private endpoint.

If you select Reject instead, data continues to flow over the public internet.

Best practices best-practices

Follow these recommendations to get the most out of Azure Private Link for destinations.

Do not create a dedicated VNet or open your network to Adobe. The Private Endpoint lives entirely in Adobe’s VNet.
Align your Azure resource region with your Experience Platform data region for best performance.
After the Private Endpoint is active, disable public network access to your Azure resource for full security benefit.

Limitations limitations

Be aware of the following constraints before requesting Azure Private Link setup.

Private Link is available for Azure destinations only. AWS and Google Cloud Platform destinations are not supported yet.
Configuration requires Adobe engineering involvement. Self-service provisioning is not currently available.

Azure resource deletion resource-deletion

When you delete the resource, the Private Endpoint becomes orphaned. An orphaned endpoint has a Disconnected status, cannot deliver data, and continues to incur charges on Adobe’s infrastructure. Contact Adobe before deleting any Azure resource that has an active Private Endpoint.

WARNING

Do not delete an Azure resource that has an active Private Endpoint without first notifying Adobe.

Adobe internal instructions: activate Private Link for a customer internal-activation

Adobe teams only. Expand for activation instructions.

To activate Private Link for a customer, clone Jira ticket PLATIR-64767 and populate it with the customer details collected by the account manager.

Required fields vary by destination type. Collect the following from the customer before cloning the ticket.

Azure Event Hubs

Azure Resource ID of the Event Hubs namespace
Namespace FQDN (for example, <namespace>.servicebus.windows.net)
Azure region
IMS Org ID

Azure Blob Storage

Azure Resource ID of the storage account
Storage account FQDN (for example, <account>.blob.core.windows.net)
Whether a Blob endpoint, a DFS endpoint, or both are needed
Azure region
IMS Org ID

Azure Data Lake Storage Gen2

Azure Resource ID of the storage account
Storage account FQDN (for example, <account>.dfs.core.windows.net)
Whether a Blob endpoint, a DFS endpoint, or both are needed
Azure region
IMS Org ID

After provisioning, notify the customer that the Private Endpoint approval request is available in their Azure portal.

recommendation-more-help

experience-platform-help-destinations