Workspaces - Set Outbound Gateway Rules

Service:: Core

API Version:: v1

Sets the gateway rules for the workspace enabled with Outbound Access Protection (OAP).
This API enables workspace administrators to define, replace, or override the set of outbound network communication policies that control which on-prem /Vnet Data Gateways are to be allowed from the current workspace.

Note

Outbound access protection rules are only enforced if the workspace’s network communication policy has outbound.publicAccessRules.defaultAction set to Deny. If OAP is not enabled on the workspace, the API fails because outbound connections are not restricted.

Note

This API uses the PUT method and overwrites all outbound access gateways for the workspace. Always call the Get Gateway Rules operation first and provide the full policy in the request body.

Note

If defaultAction is omitted from the request body, it defaults to Allow, which may unintentionally permit all outbound gateway connections. Always explicitly specify defaultAction in every PUT request body.

Permissions

The caller must have admin workspace role.

Required Delegated Scopes

Workspace.ReadWrite.All

Microsoft Entra supported identities

This API supports the Microsoft identities listed in this section.

Identity	Support
User	Yes
Service principal and Managed identities	Yes

Interface

PUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/networking/communicationPolicy/outbound/gateways

URI Parameters

Name	In	Required	Type	Description
workspaceId	path	True	string (uuid)	Unique identifier of the workspace to update.

Request Body

Name	Type	Description
allowedGateways	GatewayAccessRuleMetadata[]	A list of rules that define outbound access behavior for gateways.
defaultAction	GatewayAccessActionType	Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. If omitted from a PUT request body, this field defaults to `Allow`, which may unintentionally permit all outbound gateway connections. Always explicitly specify this field in every PUT request body.

Responses

Name Type Description

200 OK

Name	Type	Description
200 OK		Request completed successfully. Headers ETag: string
429 Too Many Requests	ErrorResponse	The service rate limit was exceeded. The server returns a `Retry-After` header indicating, in seconds, how long the client must wait before sending additional requests. Headers Retry-After: integer
Other Status Codes	ErrorResponse	Common error codes: UnknownError - An error occurred.

Request completed successfully.

Headers

ETag: string

429 Too Many Requests

ErrorResponse

The service rate limit was exceeded. The server returns a Retry-After header indicating, in seconds, how long the client must wait before sending additional requests.

Headers

Retry-After: integer

Other Status Codes

ErrorResponse

Common error codes:

UnknownError - An error occurred.

Examples

Set workspace outbound access protection gateway rule for example

Sample request

HTTP

PUT https://api.fabric.microsoft.com/v1/workspaces/47482db6-4583-4672-86dd-999d0f8f4d7a/networking/communicationPolicy/outbound/gateways

{
  "defaultAction": "Deny",
  "allowedGateways": [
    {
      "id": "91c5ae74-e82d-4dd3-bfeb-6b1814030123"
    },
    {
      "id": "25bac802-080d-4f73-8a42-1b406eb1fceb"
    }
  ]
}

Sample response

Status code:: 200

ETag: 0f8fad5b-d9cb-469f-a165-70867728950e

Definitions

Name	Description
ErrorRelatedResource	The error related resource details object.
ErrorResponse	The error response.
ErrorResponseDetails	The error response details.
GatewayAccessActionType	Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time.
GatewayAccessRuleMetadata	Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access.
WorkspaceOutboundGateways	Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication

ErrorRelatedResource

Object

The error related resource details object.

Name	Type	Description
resourceId	string	The resource ID that's involved in the error.
resourceType	string	The type of the resource that's involved in the error.

ErrorResponse

Object

The error response.

Name	Type	Description
errorCode	string	A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users.
isRetriable	boolean	When true, the request can be retried. Use the `Retry-After` response header to determine the delay, if available.
message	string	A human readable representation of the error.
moreDetails	ErrorResponseDetails[]	List of additional error details.
relatedResource	ErrorRelatedResource	The error related resource details.
requestId	string (uuid)	ID of the request associated with the error.

ErrorResponseDetails

Object

The error response details.

Name	Type	Description
errorCode	string	A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users.
message	string	A human readable representation of the error.
relatedResource	ErrorRelatedResource	The error related resource details.

GatewayAccessActionType

Enumeration

Defines the access control behavior for outbound gateways. This enum is used for the field defaultAction to specify whether outbound communication should be allowed or denied by default. This type enables both global and gateway-specific control over outbound access, helping enforce secure and predictable network communication policies. Additional gateway access action types may be added over time.

Value	Description
Allow	Permits outbound gateways. When used as a default action, all gateways are allowed.
Deny	Blocks outbound gateways. When used as a default action, all gateways are denied unless explicitly allowed.

GatewayAccessRuleMetadata

Object

Represents a gateway that is allowed for outbound communication. This object is used within the allowedGateways to explicitly authorize outbound access.

Name	Type	Description
id	string (uuid)	Gateway Id to be allowed.

WorkspaceOutboundGateways

Object

Represents the complete set of gateway outbound access protection rules configured for a workspace as part of its networking communication policy. This object defines the gateway rules that govern outbound communication

Name	Type	Description
allowedGateways	GatewayAccessRuleMetadata[]	A list of rules that define outbound access behavior for gateways.
defaultAction	GatewayAccessActionType	Defines the default behavior for all gateways that are not explicitly listed in the allowed list array. If set to "Allow", all unspecified gateways are permitted by default. If set to "Deny", all unspecified gateways are blocked. If omitted from a PUT request body, this field defaults to `Allow`, which may unintentionally permit all outbound gateway connections. Always explicitly specify this field in every PUT request body.