Workspaces - Set Outbound Gateway Rules
Sets the gateway rules for the workspace enabled with Outbound Access Protection (OAP). This API enables workspace administrators to define, replace, or override the set of outbound network communication policies that control which on-prem /Vnet Data Gateways are to be allowed from current workspace. This feature is currently in preview.
Note
This API is part of a Preview release and is provided for evaluation and development purposes only. It may change based on feedback and is not recommended for production use.
Note
Outbound access protection rules are only enforced if the workspace’s network communication policy has outbound.publicAccessRules.defaultAction set to Deny. If OAP is not enabled on workspace, API fails as outbound connections are not being restricted.
Note
This API uses the PUT method and will overwrite all outbound access gateways for the workspace. Remaining policy will be set to default value if partial policy is provided in the request body. Always run Get first and provide full policy in the request body.
Permissions
The caller must have admin workspace role.
Required Delegated Scopes
Workspace.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support |
|---|---|
| User | Yes |
| Service principal and Managed identities | Yes |
Interface
PUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/networking/communicationPolicy/outbound/gatewaysURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
workspace
|
path | True |
string (uuid) |
Unique identifier of the workspace to update. |
Request Body
| Name | Type | Description |
|---|---|---|
| allowedGateways |
A list of rules that define outbound access behavior for gateways. |
|
| defaultAction |
Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Request completed successfully. Headers ETag: string |
|
| Other Status Codes |
Common error codes:
|
Examples
Set workspace outbound access protection gateway rule for example
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/47482db6-4583-4672-86dd-999d0f8f4d7a/networking/communicationPolicy/outbound/gateways
{
"defaultAction": "Deny",
"allowedGateways": [
{
"id": "91c5ae74-e82d-4dd3-bfeb-6b1814030123"
},
{
"id": "25bac802-080d-4f73-8a42-1b406eb1fceb"
}
]
}
Sample response
ETag: 0f8fad5b-d9cb-469f-a165-70867728950eDefinitions
| Name | Description |
|---|---|
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Gateway |
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time. |
|
Gateway |
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access. |
|
Workspace |
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
GatewayAccessActionType
Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time.
| Value | Description |
|---|---|
| Allow |
Permits outbound gateways. When used as a default action, all gateways are allowed. |
| Deny |
Blocks outbound gateways. When used as a default action, all gateways are denied unless explicitly allowed. |
GatewayAccessRuleMetadata
Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access.
| Name | Type | Description |
|---|---|---|
| id |
string (uuid) |
Gateway Id to be allowed. |
WorkspaceOutboundGateways
Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication
| Name | Type | Description |
|---|---|---|
| allowedGateways |
A list of rules that define outbound access behavior for gateways. |
|
| defaultAction |
Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. |