Workspaces - Get Outbound Gateway Rules
Returns the gateway rules for the workspace enabled with Outbound Access Protection (OAP). This API is designed to help workspace administrators view the effective outbound network communication policies that are enforced for On-prem and Vnet Data gateways. Outbound access protection gateway rules are only returned and applied if the workspace’s network communication policy has outbound.publicAccessRules.defaultAction set to Deny. If OAP is not enabled on workspace, API fails as outbound connections are not being restricted. This feature is currently in preview.
Note
This API is part of a Preview release and is provided for evaluation and development purposes only. It may change based on feedback and is not recommended for production use.
Permissions
The caller must have viewer or higher workspace role.
Required Delegated Scopes
Workspace.Read.All or Workspace.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support |
|---|---|
| User | Yes |
| Service principal and Managed identities | Yes |
Interface
GET https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/networking/communicationPolicy/outbound/gatewaysURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
workspace
|
path | True |
string (uuid) |
Unique identifier of the workspace whose outbound rules are being queried. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Request completed successfully. Headers ETag: string |
|
| Other Status Codes |
Common error codes:
|
Examples
Get workspace outbound access protection gateway rule for example
Sample request
GET https://api.fabric.microsoft.com/v1/workspaces/47482db6-4583-4672-86dd-999d0f8f4d7a/networking/communicationPolicy/outbound/gateways
Sample response
ETag: 0f8fad5b-d9cb-469f-a165-70867728950e{
"defaultAction": "Deny",
"allowedGateways": [
{
"id": "91c5ae74-e82d-4dd3-bfeb-6b1814030123"
}
]
}Definitions
| Name | Description |
|---|---|
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Gateway |
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time. |
|
Gateway |
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access. |
|
Workspace |
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
GatewayAccessActionType
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time.
| Value | Description |
|---|---|
| Allow |
Permits outbound gateways. When used as a default action, all gateways are allowed. |
| Deny |
Blocks outbound gateways. When used as a default action, all gateways are denied unless explicitly allowed. |
GatewayAccessRuleMetadata
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access.
| Name | Type | Description |
|---|---|---|
| id |
string (uuid) |
Gateway Id to be allowed. |
WorkspaceOutboundGateways
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication
| Name | Type | Description |
|---|---|---|
| allowedGateways |
A list of rules that define outbound access behavior for gateways. |
|
| defaultAction |
Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. |