Connecting Synapse Analytics
Connect Azure Synapse Analytics to FreshGuard for monitoring.
Synapse Analytics requires a Professional plan or higher. Professional+
Authentication Methods
FreshGuard supports two authentication methods for Synapse Analytics. Choose based on how your Synapse workspace is configured.
SQL Authentication (default)
Use this when SQL logins are enabled on the workspace.
| Field | Description | Example |
|---|---|---|
| Server | Synapse SQL endpoint | myworkspace.sql.azuresynapse.net |
| Port | Port (default 1433) | 1433 |
| Database | SQL pool or database name | analytics_pool |
| Username | SQL login name | freshguard_reader |
| Password | Login password | — |
| Encrypt | Require encrypted connection | true |
Entra Service Principal
Use this when your Synapse workspace is in Entra-only mode (SQL authentication disabled). You will need an Entra app registration — see the Synapse: Read-Only Login guide for setup instructions.
| Field | Description | Example |
|---|---|---|
| Server | Synapse SQL endpoint | myworkspace.sql.azuresynapse.net |
| Port | Port (default 1433) | 1433 |
| Database | SQL pool or database name | analytics_pool |
| Auth type | Authentication method | Entra Service Principal |
| Tenant ID | Directory (tenant) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client ID | Application (client) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client Secret | Secret value | — |
| Encrypt | Require encrypted connection | true |
Setup Steps
- In the FreshGuard dashboard, go to Sources and click Add Source.
- Select Synapse Analytics.
- Enter the SQL endpoint and database (SQL pool) name.
- Select your authentication method and fill in the corresponding credentials.
- Leave Encrypt enabled — Synapse requires encrypted connections.
- Click Test Connection to verify access.
- Save.
Info
You can find the SQL endpoint in the Azure Portal under Synapse workspace > Overview > Dedicated SQL endpoint or Serverless SQL endpoint.
Dedicated vs Serverless SQL Pools
FreshGuard works with both Synapse pool types:
- Dedicated SQL pool: Always-on compute for production workloads. The pool must be running for FreshGuard to connect.
- Serverless SQL pool: On-demand compute that starts automatically when queries are executed. No pool management required.
Firewall Configuration
Synapse uses workspace-level firewall rules:
- In your FreshGuard dashboard, go to Settings → Network to find FreshGuard’s current outgoing IPs.
- In the Azure Portal, navigate to your Synapse workspace.
- Go to Networking (under Security).
- Add a firewall rule for each IP address.
Common Issues
Connection Refused
- Verify the firewall rules include FreshGuard’s IP addresses.
- Confirm the SQL endpoint is correct (dedicated and serverless pools have different endpoints).
- For dedicated pools, ensure the pool is in a Running state — paused pools reject connections.
Authentication Failed
SQL authentication: Ensure the login exists on the workspace (master database) and a corresponding user has been created in the target SQL pool or database with db_datareader access.
Entra Service Principal: Ensure a contained database user was created with CREATE USER [...] FROM EXTERNAL PROVIDER in the target SQL pool or database. Verify the Tenant ID, Client ID, and Client Secret are correct, and that the client secret has not expired.
Dedicated Pool Paused
If your dedicated SQL pool is paused, FreshGuard cannot connect. Resume the pool from the Azure Portal or set up auto-resume before configuring monitoring.
Recommended Setup
Create a dedicated read-only login for FreshGuard. See the Synapse: Read-Only Login guide for the exact T-SQL commands.