Description
We are using FinOps Hubs Toolkit v0.12 in an Azure environment where Private Endpoints are enforced for all PaaS services.
The solution is deployed according to the official FinOps Hubs documentation and functions correctly when pipelines are triggered manually. However, the automatic ingestion does not start after Azure Cost Management exports are written to the Storage Account.
Expected behavior
When new cost export files are written to the FinOps Hubs Storage Account, the Event Grid trigger should fire and automatically start the Azure Data Factory ingestion pipelines.
Actual behavior
Cost exports are successfully written to the Storage Account
No Event Grid event is delivered
ADF pipelines are not triggered automatically
Manually starting the pipelines works without issues
Root cause analysis
After investigation, we identified that:
The Storage Account uses Private Endpoints only
Public network access is disabled
Azure Event Grid cannot deliver events from Storage Accounts that are only accessible via Private Endpoints
This appears to be an Azure Event Grid / Storage platform limitation, not a misconfiguration of FinOps Hubs.
Environment
FinOps Hubs Toolkit version: 0.12
Azure Data Factory: Managed VNet + Private Endpoints
Storage Account:
Private Endpoint enabled
Public network access disabled
Event Grid: System Topic on Storage Account
Impact
This prevents using FinOps Hubs in a fully private / zero public exposure architecture when relying on the default event-driven ingestion mechanism.
Workarounds identified
Enable public network access on the Storage Account (restricted to trusted Microsoft services) - Currently not excepted by Security department
Replace Event Grid triggers with scheduled / polling-based ADF pipelines - We are currently trying to get this up and running
Question / request
Is there a recommended architecture for running FinOps Hubs fully behind Private Endpoints?
Are there plans to support Event Grid + Storage system topics over Private Link in future versions?
Is there already a scheduled based trigger for the ADF pipelines?
Description
We are using FinOps Hubs Toolkit v0.12 in an Azure environment where Private Endpoints are enforced for all PaaS services.
The solution is deployed according to the official FinOps Hubs documentation and functions correctly when pipelines are triggered manually. However, the automatic ingestion does not start after Azure Cost Management exports are written to the Storage Account.
Expected behavior
When new cost export files are written to the FinOps Hubs Storage Account, the Event Grid trigger should fire and automatically start the Azure Data Factory ingestion pipelines.
Actual behavior
Cost exports are successfully written to the Storage Account
No Event Grid event is delivered
ADF pipelines are not triggered automatically
Manually starting the pipelines works without issues
Root cause analysis
After investigation, we identified that:
The Storage Account uses Private Endpoints only
Public network access is disabled
Azure Event Grid cannot deliver events from Storage Accounts that are only accessible via Private Endpoints
This appears to be an Azure Event Grid / Storage platform limitation, not a misconfiguration of FinOps Hubs.
Environment
FinOps Hubs Toolkit version: 0.12
Azure Data Factory: Managed VNet + Private Endpoints
Storage Account:
Private Endpoint enabled
Public network access disabled
Event Grid: System Topic on Storage Account
Impact
This prevents using FinOps Hubs in a fully private / zero public exposure architecture when relying on the default event-driven ingestion mechanism.
Workarounds identified
Enable public network access on the Storage Account (restricted to trusted Microsoft services) - Currently not excepted by Security department
Replace Event Grid triggers with scheduled / polling-based ADF pipelines - We are currently trying to get this up and running
Question / request
Is there a recommended architecture for running FinOps Hubs fully behind Private Endpoints?
Are there plans to support Event Grid + Storage system topics over Private Link in future versions?
Is there already a scheduled based trigger for the ADF pipelines?