When creating a new Azure Synapse workspace, exfiltration protection can be enabled. This will use a managed virtual network and private endpoints to the dedicated SQL pools so that only authorized access is allowed. Disallowing public access is typically considered best practice, and this will provide an extra level of security.
Because the Data Exfiltration feature requires a managed virtual network, the workspace Data Exfiltration settings cannot be changed after the workspace is created; a new resource must be created to enable the function. To do so, follow the steps below.
In Azure Console -
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspace-data-exfiltration-protection
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace#data_exfiltration_protection_enabled