Managed VNET Synapse Analytics Serverless Spark Unable to connect to Private VNET Service Bus

Question

Managed VNET Synapse Analytics Serverless Spark Unable to connect to Private VNET Service Bus

Vairamani Annamalai 35

i have created a service bus with private endpoint and trying to connect in azure synapse but facing issue like"Caused by: com.azure.core.amqp.exception.AmqpException: status-code: 401, status-description: Ip has been prevented to connect to the endpoint.

Suppressed: java.lang.Exception: #block terminated with an error at reactor.core.publisher.BlockingSingleSubscriber.blockingGet(BlockingSingleSubscriber.java:141) at reactor.core.publisher.Mono.block(Mono.java:1766) at com.azure.messaging.servicebus.ServiceBusSenderClient.sendMessage(ServiceBusSenderClient.java:266) at com.p3.ingestion.aure.AzureServiceBusSender$.main(AzureServiceBusSender.scala:66) at com.p3.ingestion.aure.AzureServiceBusSender.main(AzureServiceBusSender.scala) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.spark.deploy.yarn.ApplicationMaster$$anon$2.run(ApplicationMaster.scala:760) Caused by: com.azure.core.amqp.exception.AmqpException: status-code: 401, status-description: Ip has been prevented to connect to the endpoint. For more information see: Virtual Network service endpoints: Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044192 Service Bus: https://go.microsoft.com/fwlink/?linkid=2044235 IP Filters: Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044428

Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-17T10:42:36.07+00:00

Hello Vairamani Annamalai •,

You have created a service bus with private endpoint and trying to connect in azure synapse but facing issue like"Caused by: com.azure.core.amqp.exception.AmqpException: status-code: 401, status-description: Ip has been prevented to connect to the endpoint.

As discussed offline, the system functions correctly when public access is enabled, but encounters issues when public access is disabled.
Vairamani Annamalai 35 Reputation points

2025-07-17T11:10:50.5433333+00:00

That's correct, We dont have issues when we keep service bus "publicly accessible" , when we have them enabled private - we have challenges, thanks for raising the support request and we are working with them

Accepted answer

1 additional answer

Your answer

Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-17T10:42:36.07+00:00

Hello Vairamani Annamalai •,

You have created a service bus with private endpoint and trying to connect in azure synapse but facing issue like"Caused by: com.azure.core.amqp.exception.AmqpException: status-code: 401, status-description: Ip has been prevented to connect to the endpoint.

As discussed offline, the system functions correctly when public access is enabled, but encounters issues when public access is disabled.
Vairamani Annamalai 35 Reputation points

2025-07-17T11:10:50.5433333+00:00

That's correct, We dont have issues when we keep service bus "publicly accessible" , when we have them enabled private - we have challenges, thanks for raising the support request and we are working with them

Answer 1

Deepanshu katara 17,255 MVP Moderator

Hello , Welcome to MS Q&A

Checklist to Resolve the Issue

Private Endpoint DNS Resolution

Ensure that your Synapse workspace can resolve the private endpoint DNS of the Service Bus. You may need to:

Configure a private DNS zone for privatelink.servicebus.windows.net.
Link this DNS zone to the virtual network used by Synapse.
Ensure the Service Bus namespace is correctly mapped in the DNS zone.

Virtual Network Integration

Check that:

Your Azure Synapse Managed VNET is enabled.
The private endpoint for the Service Bus is in the same VNET or peered VNET as Synapse.
Network rules on the Service Bus allow traffic from the Synapse subnet.

IP Firewall Rules on Service Bus

Even with a private endpoint, if IP filtering is enabled, it might block traffic:

Go to the Service Bus namespace → Networking → Firewalls and virtual networks.
Ensure “Allow trusted Microsoft services to bypass this firewall” is enabled.
Ensure your Synapse workspace's outbound IPs are allowed (if not using managed VNET).

Authentication

A 401 error can also indicate authentication failure:

Ensure the Synapse workspace or Spark job is using a valid Azure AD token or connection string with proper rights.
If using Managed Identity, ensure it has the "Azure Service Bus Data Sender" role on the Service Bus namespace.

Pls let me know if any further ques

Thanks

Deepanshu

Vairamani Annamalai 35 Reputation points

2025-07-17T06:58:48.4966667+00:00

As this VNET is managed by Azure backbone - Except the below step evertything we have done

Link this DNS zone to the virtual network used by Synapse.

Kindly guide
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-17T08:23:55.3+00:00

Hello Vairamani Annamalai •,

Could you please check the private message and provide the required details for troubleshooting the issue further.

Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
Vairamani Annamalai 35 Reputation points

2025-07-22T05:29:45.4266667+00:00

Thanks for raising an incident to follow up further on Private connectivity issue

Answer 2

Vairamani Annamalai 35

As per the ticket created with microsft

To create a private network connection between Azure Synapse Analytics and other Azure resources, you must use Managed Private Endpoints within a Managed Virtual Network (Managed VNet).

However, Synapse Analytics supports Managed Private Endpoints only for a limited set of Azure services. As it doesn't support the service bus it's not possible to access service bus privately.

Share via

Managed VNET Synapse Analytics Serverless Spark Unable to connect to Private VNET Service Bus

1 additional answer

Your answer