Real-Time Intelligence · Microsoft Fabric

Eventstream in Fabric: Complete 2026 Production Guide

Q: What is Eventstream in Microsoft Fabric?

Eventstream in Microsoft Fabric is a no-code, real-time data ingestion and transformation service that captures events from sources like Azure Event Hubs, Kafka, IoT Hub, MQTT brokers, and HTTP endpoints, applies lightweight transformations such as filtering, aggregation, and joins, then routes results to destinations including Eventhouse (KQL), Lakehouse, Service Bus, and custom endpoints. All infrastructure is fully managed and scales automatically.

Q: What is the difference between Direct Ingestion and Event Processing in Eventstream?

Direct Ingestion streams raw events straight to an Eventhouse KQL database without applying transformations. It provides the lowest latency and lowest processing cost, but stores raw unprocessed data. Event Processing applies transformations — filtering, aggregation, joins — before data lands in the destination. Use Direct Ingestion when you want all events archived as-is and prefer to query with KQL. Use Event Processing when you need to reduce data volume, enrich records, or route based on content before storing.

Q: What is DeltaFlow in Fabric Eventstream?

DeltaFlow (Preview) is a connector introduced in Q1 2026 that allows Eventstream to ingest CDC (Change Data Capture) events directly from operational databases like Azure SQL and PostgreSQL. It streams row-level inserts, updates, and deletes as they happen into Fabric Eventstreams, enabling real-time downstream processing without building custom polling or CDC pipelines.

Q: Does Eventstream support private network and VNet sources?

Yes. As of Q1 2026, Eventstream supports private network connectivity using an Azure Managed Virtual Network as an intermediary bridge. Sources in VNets connected via VPN, ExpressRoute, private endpoints, or peering can now be reached securely. A streaming virtual network data gateway experience in Fabric manages these resources.

Q: What windowing types does Eventstream support?

Eventstream supports four temporal window types for aggregations: Tumbling (non-overlapping fixed intervals, e.g., per-minute counts), Hopping (overlapping fixed intervals for moving averages), Session (dynamic duration based on gaps between events, ideal for user session tracking), and Sliding (continuously advancing, most precise for anomaly detection).

Q: Can Eventstream handle duplicate events?

Eventstream provides at-least-once delivery guarantees, meaning duplicates can occur. For deduplication, route events via Direct Ingestion to Eventhouse and use KQL's arg_max() function to deduplicate at query time, or use ingest_if_not_exists tags during ingestion. Alternatively, use an event ID field in Manage Fields transformation to flag and filter duplicates before they land.

Q: What Fabric capacity is required for Eventstream?

Eventstream is available in Fabric Trial capacities for evaluation. For production workloads, an F-SKU (F2 or higher) is required to ensure consistent throughput. Eventstream consumes Capacity Units (CUs) from your F-SKU based on event volume and transformation complexity. Direct Ingestion typically costs less in CUs than full Event Processing paths.

Q: Can Mirrored Database changes stream into Eventstream?

Yes. As of June 2026, the Mirrored Database Change Feed connector provides a fully managed path from mirrored change feeds directly into Fabric Eventstreams. This requires Extended Capabilities in Mirroring (Delta CDF enabled). No custom Spark notebooks are needed — discover CDF-enabled mirrored databases in Real-Time Hub and connect to Eventstreams in a few clicks.

Fabric Eventstream captures, transforms, and routes real-time events from sources like Event Hubs, Kafka, MQTT brokers, and databases into Eventhouse, Lakehouse, and custom destinations. This guide covers every capability including Q1 2026 DeltaFlow, VNet connectivity, Anomaly Detection sources, and the June 2026 Mirrored Change Feed connector — verified against Microsoft Learn.

What is Eventstream in Microsoft Fabric?

Eventstream in Microsoft Fabric is a no-code, fully managed real-time data ingestion and transformation service. It captures events from Azure Event Hubs, Kafka, IoT Hub, MQTT brokers, HTTP endpoints, and databases via DeltaFlow, applies transformations such as filtering, aggregation, and temporal windowing, then routes results to Eventhouse (KQL), Lakehouse (Delta), Service Bus, and custom endpoints. All infrastructure scales automatically. Eventstream is part of Fabric’s Real-Time Intelligence workload.

📅 Last verified: June 2026 ⏱ Read time: ~16 min ✍️ A.J., Data Engineering Researcher 🔗 Source: Microsoft Learn

Section 01

What Is Eventstream in Fabric?

Eventstream sits within Fabric’s Real-Time Intelligence workload alongside Eventhouse and Real-Time Hub. Its job is simple: take events arriving continuously from external systems, apply whatever transformation logic you need, and deliver results to Fabric destinations or external consumers — all without managing infrastructure.

Every Eventstream is a visual pipeline. Sources connect on the left, transformations sit in the middle, destinations connect on the right. The pipeline runs continuously as a managed service. You never provision servers, configure autoscaling, or manage partition assignments manually.

No-Code Visual Editor

Drag-and-drop pipeline builder. Connect sources, chain transformation operators, route to multiple destinations — without writing code.

Fully Managed Infrastructure

Microsoft manages autoscaling, fault tolerance, and partition management. You define the logic; Fabric runs it.

Multiple Source Types

Azure Event Hubs, Kafka, IoT Hub, MQTT brokers, HTTP endpoints, Azure SQL and PostgreSQL via DeltaFlow, Anomaly Detection signals, and Mirrored Database Change Feeds.

Multi-Destination Routing

Route processed events simultaneously to Eventhouse (KQL), Lakehouse (Delta), Event Hub, Service Bus, Derived Streams, and custom HTTP endpoints.

📌

Real-Time Hub — The Control Plane

Real-Time Hub is the centralized discovery and management experience for all streaming artifacts across your Fabric workspace. Find Eventstreams, connect sources, monitor health, and discover CDF-enabled mirrored databases — all from one place.

Section 02

Pipeline Architecture

Every Eventstream follows the same three-stage pattern. Understanding it prevents the most common design mistakes.

Eventstream pipeline flow

[Event Sources]
Azure Event Hubs • Apache Kafka • IoT Hub • MQTT (v3.1/v3.1.1)
HTTP Custom Endpoint • Service Bus • DeltaFlow (Azure SQL/PostgreSQL)
Anomaly Detection • Mirrored Database Change Feed (June 2026)
│
▼
[Default Stream]  ←  raw event data, schema preserved
│
▼
[Transformation Operators]  (optional, chainable)
Filter → Aggregate → Group By → Join → Manage Fields → Convert
│
├── [Derived Stream]  ←  branch for reuse or chaining
│
▼
[Destinations]  (route to one or more simultaneously)
Eventhouse (KQL database) — Direct Ingestion or processed
Lakehouse (Delta tables in OneLake)
Event Hub (fan-out to downstream subscribers)
Service Bus (guaranteed delivery messaging)
Custom Endpoint (HTTP, Kafka, AMQP)

The most common architecture mistake is running all transformations before writing to Eventhouse when Direct Ingestion is the better choice. If your downstream analytics are KQL queries, land raw events via Direct Ingestion and apply filtering and aggregation at query time. Save Event Processing for scenarios where you need to reduce data volume before storage or enrich events with reference data.

Section 03

Direct Ingestion vs Event Processing

This is the most important decision in any Eventstream design. Getting it wrong affects both latency and your monthly CU bill.

Factor	Direct Ingestion	Event Processing
What it does	Streams raw events straight to Eventhouse KQL database	Applies transformations before data lands in destination
Latency	Lowest — no transformation overhead	Higher — transformation adds processing time
CU cost	Lower — bypasses transformation compute	Higher — transformation units billed
Data stored	Raw unprocessed events	Filtered or aggregated records
Analytics approach	Query with KQL post-ingestion	Data arrives pre-processed
Best for	Archive all events, compliance, low latency KQL dashboards	Reduce storage volume, enrich records, content-based routing

✅

Default Recommendation

Start with Direct Ingestion to Eventhouse. KQL handles filtering, aggregation, and enrichment at query time — and you preserve all raw event data for future analysis. Switch to Event Processing only when you have a specific reason: volume reduction before storage, or enrichment that can’t be done in KQL.

Section 04

Sources — Including All 2026 Additions

Existing Core Sources

Azure Event Hubs — managed event streaming at scale; handles millions of events per second. The most common source for high-throughput cloud-native workloads.
Apache Kafka — on-premises or cloud Kafka clusters (Amazon MSK, Confluent Cloud). Schema Registry support added Q1 2026 for Kafka-based sources.
Azure IoT Hub — device-to-cloud messaging with device management. Use for IoT solutions with thousands of registered devices.
HTTP Custom Endpoint — receive events via webhook. Use for SaaS platforms, mobile apps, and third-party systems pushing data.
Azure Service Bus — enterprise message bus; use where guaranteed delivery and ordering matter more than throughput.

2026 New Sources

Source	Status	What It Does
DeltaFlow	Preview — Q1 2026	Streams CDC events (inserts, updates, deletes) directly from Azure SQL and PostgreSQL into Eventstreams. Eliminates custom CDC polling logic.
MQTT v3.1 / v3.1.1	GA — Jan 2026	Expanded MQTT ingestion compatibility. Onboard existing IoT device fleets without protocol upgrades or custom shims.
Anomaly Detection	Q1 2026	Detection signals from Eventhouse Anomaly Detection become first-class streaming inputs — enabling enrichment, routing, and Activator automation.
Mirrored Database Change Feed	June 2026	Streams row-level changes from Fabric Mirrored databases (requires Extended Capabilities / Delta CDF) directly into Eventstreams. Discover in Real-Time Hub. No code required.
VNet / Private Network Sources	Q1 2026	Sources in private networks (VPN, ExpressRoute, private endpoints, peering) now reachable via Azure Managed VNet bridge with streaming VNet data gateway.

📌

VNet / Private Network Connectivity

As of Q1 2026, Eventstream supports streaming from sources in private network environments. Use an Azure Managed Virtual Network as an intermediary bridge — connected via VPN, ExpressRoute, peering, or private endpoints — with Eventstream connectors injected into that virtual network. A streaming VNet data gateway experience in Fabric manages these resources. This enables regulated-industry deployments where sources must stay behind private links.

Section 05

Transformation Operators

Six core transformation types are available. Chaining them builds complex processing logic without writing code. Each operator in the pipeline connects to the next — the output of one becomes the input of the next.

Operator	What It Does	Example
Filter	Select events matching conditions (WHERE clause logic)	Keep only transactions over $100, or errors from production environments
Aggregate	Compute SUM, AVG, COUNT, MIN, MAX across time windows	Per-minute order totals or hourly active user counts
Group By	Segment events by dimension, combined with temporal windows	Revenue by region per 5-minute tumbling window
Join	Enrich event streams with reference data from lookup streams	Add customer tier from a reference stream to transaction events
Manage Fields	Rename, type-cast, or compute new columns	Rename OrderID to order_id, cast price string to decimal, add derived margin field
Convert	Transform data between formats and representations	Convert event payload types for different sink schema requirements

Real-World Transformation Chain Example

E-commerce order stream — chained operators

Source: Orders from Azure Event Hub
│
Filter → keep only orders where amount > $50
│
Manage Fields → rename “OrderID” → “order_id”, cast amount to decimal
│
Join → lookup customer region from reference stream
│
Aggregate → COUNT and SUM(amount) per region, per 1-minute tumbling window
│
Destination: Eventhouse → KQL dashboard updates every 60 seconds

Section 06

Destinations

Destination	Best For	Latency	Notes
Eventhouse (KQL database)	Real-time dashboards, alerting, time-series analytics	Sub-second	Supports both Direct Ingestion and processed events. Primary destination for Real-Time Intelligence.
Lakehouse (Delta tables)	Event archival, batch analytics, compliance	Seconds–minutes	Data lands in OneLake as Delta Parquet. Queryable by Spark, SQL Warehouse, Power BI.
Event Hub (output)	Fan-out to multiple downstream subscribers	Sub-second	Use when multiple consumers need the same processed stream.
Service Bus	Guaranteed delivery, ordered messaging	Milliseconds	Use where message ordering and at-least-once delivery guarantees are required.
Derived Stream	Branch for reuse and chaining	Near-zero overhead	Allows one raw stream to feed multiple downstream Eventstreams without duplicating source connections.
Custom Endpoint	External systems, third-party integrations	Variable	HTTP, Kafka, AMQP. Use for legacy systems or external consumers outside Fabric.

⚠️

Routing to Both Eventhouse and Lakehouse

A common production pattern routes the same events to both Eventhouse (for real-time KQL queries) and Lakehouse (for batch historical analysis). This is fully supported — a single Eventstream can write to multiple destinations simultaneously. Design the fanout in the pipeline, not upstream.

Section 07

Temporal Windowing & Aggregations

Windowing enables time-based aggregations on continuous streams. Every aggregation in Eventstream requires a window type. Choosing the wrong one produces misleading metrics.

Window Type	How It Works	Best For
Tumbling	Non-overlapping fixed intervals. Each event belongs to exactly one window. No overlap between consecutive windows.	Per-minute order counts, hourly revenue totals. Any metric where you need clean, non-overlapping time buckets.
Hopping	Overlapping fixed intervals. Window size is larger than the hop interval, so events appear in multiple windows.	Moving averages, trend detection. Smoothed metrics where you want overlap between adjacent windows.
Session	Dynamic duration based on gaps between events. Consecutive events close in time group into one session; gaps trigger a new window.	User session tracking, IoT device active periods, any scenario where activity gaps define a natural grouping boundary.
Sliding	Continuously advancing fixed-duration window. Every new event creates a new window instance.	Real-time anomaly detection, threshold monitoring where you need the most precise, continuous view.

Windowing in practice — order stream

Tumbling (1 min):
COUNT(orders) and SUM(amount) per 1-min bucket
At 10:00 AM: 45 orders, $2,340
At 10:01 AM: 38 orders, $1,890  ← fresh non-overlapping bucketHopping (5 min window, 1 min hop):
Moving average smooths spikes
At 10:01 AM reports avg over 10:00–10:05 rangeSession (30 sec gap):
User A: events at 10:00:00, 10:00:15, 10:00:45 → one session
User A: next event at 10:01:30 → new session (gap > 30 sec)

Section 08

Design Patterns & Production Recipes

Pattern 1: Lambda Architecture — Speed + Batch Layers

For organizations that need both immediate metrics and deep historical analysis, route the same events to both Eventhouse and Lakehouse simultaneously.

Lambda implementation

Speed layer: Events → Direct Ingestion → Eventhouse
KQL dashboard queries live data updated per second
Alerts fire via Activator on threshold breachesBatch layer: Events → Lakehouse (Delta tables in OneLake)
Dataflow Gen2 or notebook enriches nightly
Power BI semantic model queries curated Delta tablesOne Eventstream, two destinations, two SLAs

Pattern 2: Fanout — Content-Based Routing

Route events to different destinations based on content. One source, multiple consumers, each receiving only the events relevant to them.

Fanout routing by event severity

Source: Application logs from Event Hub
│
Filter: severity = “ERROR”  → Service Bus → triggers alert automation
Filter: all events          → Lakehouse   → full audit log
Aggregate: error rate/min   → Eventhouse  → ops dashboard

Pattern 3: DeltaFlow CDC — Operational Database to Analytics

Use DeltaFlow (Q1 2026) to replace a batch extract job with a continuous CDC stream from Azure SQL or PostgreSQL. No custom CDC code. No polling interval. Changes land in Eventhouse within seconds of the source transaction committing.

DeltaFlow pattern

Azure SQL (orders table) → DeltaFlow connector → Eventstream
│
Manage Fields → normalize column names, add source_db tag
│
Eventhouse → KQL real-time order status dashboard
Lakehouse  → Delta table for historical order analysis

DeltaFlow changes the economics of operational analytics. The old pattern was: database → scheduled copy job (30-60 min delay) → warehouse → BI. With DeltaFlow, the delay drops to seconds. The first question to ask before using it: does your Azure SQL source have Change Tracking or CDC enabled? DeltaFlow requires one of these to be active on the source tables you want to stream.

Pattern 4: Mirrored Database Change Feed (June 2026)

If your data is already being mirrored into Fabric via Mirroring with Extended Capabilities (Delta CDF enabled), you can now stream those row-level change records directly into Eventstreams without writing a single line of code.

Mirrored Change Feed → Eventstream → Activator

Mirrored database (Delta CDF enabled)
→ Real-Time Hub: discover CDF-enabled mirrored databases
→ Connect to Eventstream (no code, few clicks)
→ Apply Eventstream SQL operators and filtering
→ Route to Eventhouse, Activator, Lakehouse simultaneouslyActivator rule: if inventory_level < 100 → trigger reorder alert

Section 09

Monitoring, Performance & Security

Key Metrics to Monitor

Metric	Healthy Range	Action if Breached
End-to-end latency	< 5 seconds (typical), sub-second for Direct Ingestion	Check transformation complexity; reduce operator chain or switch to Direct Ingestion
Event throughput	Matches source rate with < 1% drop	Check Eventhouse ingestion capacity; scale F-SKU if needed
Error rate	0% (schema mismatch or serialization errors)	Review source schema; add schema validation at ingestion
Pending events (queue depth)	Near zero or steadily draining	Growing queue = destination can’t keep up; scale Eventhouse or simplify transformations
CU consumption	< 80% sustained	Reduce transformation complexity; use Direct Ingestion; filter events earlier in pipeline

Performance Optimization

Filter early: Remove unwanted events as close to the source as possible. Every event that passes through unused transformation operators costs CUs.
Aggregate before storing: Pre-aggregating in Eventstream can reduce destination write volume by 100x compared to writing raw events.
Use Derived Streams for reuse: One shared stream feeds multiple downstream Eventstreams — avoids duplicating source connections and reduces overhead.
Event Hub partitioning: Partition source events by a high-cardinality key (customer ID, device ID). Eventstream processes partitions in parallel.
Batch windows: Even small aggregation windows (1 minute) dramatically reduce write volume to Lakehouse destinations.

Security Best Practices

Managed Identity: Use Managed Identity for Eventstream-to-Eventhouse and Eventstream-to-Lakehouse connections. No credential management or rotation required.
PII masking: Use the Manage Fields operator to hash or mask sensitive columns before they land in any destination.
Workspace roles: Assign Contributor access only to data engineers who need to modify Eventstreams. Analysts should have Reader access to destinations only.
Private network sources: For regulated industries, use the VNet managed bridge (Q1 2026) to keep source connections off the public internet entirely.
TLS in transit: All Eventstream connections use TLS encryption in transit. Lakehouse and Eventhouse storage is encrypted at rest automatically.

Deduplication

Eventstream provides at-least-once delivery — duplicates can occur, especially during connector restarts or network events. For Eventhouse destinations, use KQL’s arg_max() function to deduplicate at query time by event ID, or use ingest_if_not_exists tags during ingestion to prevent duplicate rows from landing.

Section 10

Frequently Asked Questions

What is Eventstream in Microsoft Fabric?

Eventstream in Microsoft Fabric is a no-code, fully managed real-time data ingestion and transformation service. It captures events from Azure Event Hubs, Kafka, IoT Hub, MQTT brokers, HTTP endpoints, and operational databases via DeltaFlow, applies transformations such as filtering, aggregation, and temporal windowing, then routes results to Eventhouse (KQL), Lakehouse, Service Bus, and custom endpoints — all without managing infrastructure.

What is the difference between Direct Ingestion and Event Processing?

Direct Ingestion streams raw events straight to an Eventhouse KQL database without applying transformations — lowest latency, lowest CU cost, raw data stored. Event Processing applies transformations before data lands: filtering, aggregation, enrichment. Use Direct Ingestion when you want all events as-is and prefer KQL queries for analysis. Use Event Processing when you need to reduce data volume before storage, enrich records with reference data, or route based on content.

What is DeltaFlow in Fabric Eventstream?

DeltaFlow (Preview, Q1 2026) is a connector that streams CDC (Change Data Capture) events directly from operational databases like Azure SQL and PostgreSQL into Fabric Eventstreams. It captures row-level inserts, updates, and deletes as they happen — replacing batch extract jobs that previously ran on 30-60 minute schedules. Requires Change Tracking or CDC to be enabled on the source tables.

Does Eventstream support private network and VNet sources?

Yes. As of Q1 2026, Eventstream supports private network connectivity using an Azure Managed Virtual Network as an intermediary bridge. Sources behind VPN, ExpressRoute, private endpoints, or peering are now reachable. A streaming virtual network data gateway experience in Fabric manages these connections. This is particularly important for regulated industries where sources must stay off the public internet.

What windowing types does Eventstream support?

Eventstream supports four temporal window types: Tumbling (non-overlapping fixed intervals — per-minute counts), Hopping (overlapping fixed intervals — moving averages), Session (dynamic duration based on gaps between events — user session tracking), and Sliding (continuously advancing — anomaly detection). Each aggregation in Eventstream requires you to choose one window type.

Can Eventstream handle duplicate events?

Eventstream provides at-least-once delivery guarantees — duplicates can occur. For Eventhouse destinations, deduplicate at query time using KQL’s arg_max() function by event ID, or use ingest_if_not_exists tags at ingestion. For Lakehouse destinations, apply deduplication logic in a downstream notebook or Dataflow Gen2 using a Delta MERGE on the event ID column.

What Fabric capacity is required for Eventstream?

Eventstream is available in Fabric Trial capacities for evaluation and development. For production workloads, an F-SKU (F2 or higher) is required for consistent throughput. Eventstream consumes Capacity Units from your F-SKU based on event volume and transformation complexity. Direct Ingestion typically consumes fewer CUs than full Event Processing paths.

Can Mirrored Database changes stream into Eventstream?

Yes. As of June 2026, the Mirrored Database Change Feed connector provides a fully managed path from Fabric Mirrored databases (with Extended Capabilities and Delta CDF enabled) directly into Eventstreams. Discover CDF-enabled mirrored databases in Real-Time Hub and connect to an Eventstream in a few clicks — no custom Spark notebooks required. Row-level changes stream with full metadata including operation type and source timestamp.

Section 11

Official References & Related Guides

📖

Eventstream Overview — Microsoft Learnlearn.microsoft.com · Complete reference for all capabilities, sources, and destinations

🚀

What’s New in Fabric Eventstream: 2026 Q1 Editionblog.fabric.microsoft.com · DeltaFlow, MQTT v3, VNet connectivity, Anomaly Detection source

⚡

Add Eventhouse Destination — Microsoft Learnlearn.microsoft.com · Direct Ingestion to KQL database configuration

🔄

Data Mirroring in Fabric — Complete 2026 Guideultimateinfoguide.com · Extended Capabilities, Delta CDF, and the Change Feed connector

🏗️

Data Pipelines in Microsoft Fabricultimateinfoguide.com · Orchestrate Eventstream outputs with batch processing

🔧

Dataflow Gen2 in Fabricultimateinfoguide.com · Transform and enrich data after Eventstream lands it in Lakehouse

📦

Fabric Lakehouse Tutorialultimateinfoguide.com · Delta Lake storage for archived events from Eventstream

💡

Fabric Capacity Optimizationultimateinfoguide.com · Right-size compute for streaming workloads

⚠️ Accuracy Disclaimer

This guide is verified against Microsoft Learn — Eventstream Overview, the 2026 Q1 Eventstream update blog, and the June 2026 Feature Summary. Feature preview status, supported sources, and connector capabilities change frequently. Always verify against official documentation before production deployment. UIG Data Lab is an independent publication, not affiliated with or endorsed by Microsoft Corporation.

A.J. Data Engineering Researcher & Technical Writer · UIG Data Lab All articles →

A.J. researches and writes about data engineering, analytics architecture, Microsoft Fabric, and modern cloud data platforms. Coverage spans Microsoft Fabric, Power BI, Azure Data Engineering, Databricks, Snowflake, Apache Spark, dbt, Apache Airflow, and modern cloud data infrastructure. The focus is practitioner-level content that helps data professionals understand platform capabilities, evaluate technology decisions, optimize costs, and implement practical solutions using official documentation, product updates, community insights, and industry best practices. His writing covers real decisions from real deployments — not documentation rewrites.

Microsoft Fabric Eventstream Real-Time Intelligence KQL Power BI Databricks Apache Spark dbt Data Architecture