Callout policy
Your cluster can communicate with external services in many different scenarios. Cluster administrators can manage the authorized domains for external calls by updating the cluster’s callout policy.
Supported properties of a callout
A callout policy is composed of the following properties:
| Name | Type | Description |
|---|---|---|
| CalloutType | string | Defines the type of callout, and can be one of types listed in callout types. |
| CalloutUriRegex | string | Specifies the regular expression whose matches represent the domain of resources of the callout domain. |
| CanCall | bool | Whether the callout is permitted or denied external calls. |
Types of callout
Callout policies are managed at cluster-level and are classified into the following types:
| Callout policy type | Description |
|---|---|
| kusto | Controls cross-cluster queries. |
| sql | Controls the SQL plugin. |
| mysql | Controls the MySQL plugin. |
| postgresql | Controls the PostgreSql plugin. |
| azure_digital_twins | Controls the Azure Digital Twins plugin. |
| cosmosdb | Controls the Cosmos DB plugin. |
| sandbox_artifacts | Controls sandboxed plugins (python and R). |
| external_data | Controls access to external data through external tables or externaldata operator. |
| webapi | Controls access to http endpoints. |
| azure_openai | Controls calls to Azure OpenAI plugins such as the embedding plugin ai_embed_text plugin. |
Predefined callout policies
The following table shows a set of predefined callout policies that are preconfigured on your cluster to enable callouts to selected services:
| Service | Designation | Permitted domains |
|---|---|---|
| Kusto | Cross cluster queries | [a-z0-9]{3,22}\\.(\\w+\\.)?kusto(mfa)?\\.windows\\.net/?$ |
| Kusto | Cross cluster queries | `^https://[a-z0-9]{3,22}\.[a-z0-9-]{1,50}\.(kusto\.azuresynapse |
| Kusto | Cross cluster queries | `^https://([A-Za-z0-9]+\.)?(ade |
| Azure DB | SQL requests | [a-z0-9][a-z0-9\\-]{0,61}[a-z0-9]?\\.database\\.windows\\.net/?$ |
| Synapse Analytics | SQL requests | [a-z0-9-]{0,61}?(-ondemand)?\\.sql\\.azuresynapse(-dogfood)?\\.net/?$ |
| External Data | External data | .* |
| Azure Digital Twins | Azure Digital Twins | [A-Za-z0-9\\-]{3,63}\\.api\\.[A-Za-z0-9]+\\.digitaltwins\\.azure\\.net/?$ |
More predefined policies on your cluster may be observed with next query:
.show cluster policy callout
| where EntityType == 'Cluster immutable policy'
| project Policy
Remarks
If an external resource of a given type matches more than one policy defined for such type, and at least one of the matched policies has their CanCall property set to false, access to the resource is denied.
Related content
- .show cluster policy callout command
- .alter cluster policy callout command
- .alter-merge cluster policy callout command
- .delete cluster policy callout command
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.