Microsoft Fabric Network Performance remediate

Systematic toolkit for diagnosing and resolving network performance issues across Microsoft Fabric workloads including Spark, OneLake, Data Warehouse, Pipelines, and Dataflows.

When to Use This Skill

• Fabric Spark sessions take longer than expected to start (>10 seconds)
• Connection timeouts to external data sources from notebooks or pipelines
• Managed private endpoint status shows Pending or Failed
• DNS resolution returns public IPs instead of private IPs
• Outbound access protection blocks required dependencies (PyPI, Conda)
• On-premises data gateway connectivity failures
• OneLake API calls returning 403 or timeout errors
• Capacity throttling errors (HTTP 430)
• Dataflow Gen2 staging failures behind firewalls
• Cross-workspace environment attachment failures due to network mismatch

Prerequisites

• PowerShell 7+ with Az module installed (Install-Module Az -Scope CurrentUser)
• Fabric Admin or Workspace Admin role for network configuration changes
• Azure portal access for Private Link Service and DNS zone management
• Network access to run nslookup, Test-NetConnection, and Resolve-DnsName

Step-by-Step Workflows

Workflow 1: Diagnose Spark Session Startup Delays

Spark startup times vary based on networking configuration. Consult the reference table:

Run the diagnostic script for automated assessment:

.\scripts\Test-FabricNetworkHealth.ps1 -WorkspaceId "<workspace-id>" -CheckType SparkStartup

When Private Links or Managed VNets are enabled, Starter Pools are unavailable and Fabric must create clusters on demand, adding 2-5 minutes to session start time.

Workflow 2: Validate Managed Private Endpoint Connectivity

1. Navigate to Fabric workspace Settings > Network security
2. Under Managed private endpoints, verify Status shows Approved
3. If Pending or Failed, see private-endpoint-remediate.md
4. Validate DNS routing from a Fabric Notebook:

nslookup sqlserver.corp.contoso.com

Confirm the returned IP is a private range (10.x.x.x or 172.x.x.x), not public.

5. Run the automated validation:

.\scripts\Test-FabricNetworkHealth.ps1 -WorkspaceId "<workspace-id>" -CheckType PrivateEndpoint

Workflow 3: Configure Firewall Allowlisting

Fabric requires specific endpoints and service tags. Run the firewall audit script:

.\scripts\Test-FabricNetworkHealth.ps1 -CheckType FirewallEndpoints

For the complete endpoint reference, see firewall-endpoints.md.

Key service tags for Azure Firewall / NSG rules:

Workflow 4: Troubleshoot Outbound Access Protection

When outbound access protection is enabled, public repositories (PyPI, Conda) are blocked. To install libraries in secured environments:

1. Prepare a requirements.txt on a machine with internet access
2. Download packages and dependencies using pip:

pip download -r requirements.txt -d ./packages

3. Upload packages as custom libraries in the Fabric Environment
4. See outbound-access-guide.md for detailed steps

Workflow 5: Resolve Capacity Throttling (HTTP 430)

When all Spark VCores are consumed, new jobs receive HTTP 430 errors. Formula: 1 Capacity Unit = 2 Spark VCores.

1. Check current utilization in the Monitoring Hub
2. Cancel idle or stuck Spark sessions
3. Consider upgrading capacity SKU if sustained
4. Enable queueing for pipeline and Spark Job Definition workloads

For queue limits by SKU, see capacity-throttling.md.

remediate Quick Reference

References

• Private Endpoint remediate
• Firewall Endpoints and Allowlist
• Outbound Access Protection Guide
• Capacity Throttling and Queue Limits
• Diagnostic Report Template