When I send traffic to the firewall, my host cannot reach any powerapps

JohnSebastian-3934 371 Reputation points
2024-09-23T13:38:00.8933333+00:00

I have virtual hosts in Azure Commercial West US 2 region and Powerapps running in the Azure GCC environment. All Powerapps run just fine when I do not send any traffic (0.0.0.0/0) through the Azure Firewall. However as soon as I send traffic through the Azure Firewall, I get the error "We could not retrieve your app" and the Powerapps fail to run.

I have tried using an Application Rule in my Azure Firewall Policy that allows access to a huge range of FQDNs that PowerApps publishes in the documentation (https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls) but this has had no effect. I then tried a Network rule using the Service Tag of PowerAppsInfra but this has also not worked. I can't tell from the tag name what exactly this gives access to. It suggests access to just the infrastructure that PowerApps runs on.

Can someone help me figure out what the correct Azure Firewall Policy is to allow hosts in Azure Commercial WestUS2 region to run PowerApps that reside in Azure GCC environment?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
{count} votes

5 answers

Sort by: Most helpful
  1. JohnSebastian-3934 371 Reputation points
    2024-09-25T22:14:24.87+00:00

    Now that I think about this some more, I'm not sure that the Azure Firewall should be involved at all. PowerApps run in the GCC cloud and I want them to be able to access the Public endpoint of the SQL Managed Instances which are IP addresses exposed to the internet. I don't think the Azure Firewall would be involved in this at all. Does this sound right to you? Maybe I need to put these IP ranges into the NSG that protects the SQL MAnaged Instance sub-nets.


  2. JohnSebastian-3934 371 Reputation points
    2024-09-26T13:58:19.3166667+00:00

    Yes thank you. I just figured out what my issue is. There were two issues that caused my problem.

    The first issue was that the hosts on which I was attempting to access the Power Apps applications from were located in sub-nets that recently were added to a route table which sends all of my traffic through an Azure Firewall. I had to update the Azure Firewall Policy to create a Network Rule that allows access to the Service Tag AzureConnectors. Once this was added, then I no longer received the Could Not Load errors.

    This however, then highlighted a different issue with the Power Apps. They were all owned by an Entra ID user account named powerappsuser and the password for this account had expired. This caused every attempt to run one of these power apps to put up a permissions screen for the SQL Server Connector but there was no information about which account needed permission and the Allow button was greyed out. Once I discovered that the powerappsowner account password was expired and I fixed that, the permissions screen displayed showing a request to give powerappsowner permissions to use the SQL Server connector and the Allow button was active. Clicking the Allow button fixed everything and my powerapps are working again. Thank you for your help

    0 comments No comments

  3. JohnSebastian-3934 371 Reputation points
    2024-09-30T20:19:21.5733333+00:00

    I figured out the issue again. I have Rule Collections using priorities 1000 and 950. Within the 950 group, I have a Network rule that does not use TLS interception for a whole array of Microsoft FQDNs. This was the suggested solution from Microsoft Support because apparently whatever service Microsoft is using to host a lot of their services was seeing the TLS Interception as an attack and slowing down or just dropping traffic. I had put my Power Apps FQDNs into the same rule collection as a different rule with TLS interception turned out. I think was was happening was that a match was being found in the no TLS interception rule and processing then stopped by the firewall and I was never getting to the rule with all of the PowerApps FQDNs.

    I created another Rule Collection Group at priority 850 (thus higher priority and the 950 collection). I moved the rule with all of the Powerapps FQDNs to the higher priority (850) Rule Collection Group and bingo, all of the powerapps started working again. This has fixed my issue.

    0 comments No comments

  4. ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
    2024-09-26T15:07:17.9033333+00:00

    @JohnSebastian-3934

    Thank you for getting back.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.


    Issue:

    • You have virtual hosts in the Azure Commercial West US 2 region and PowerApps running in the Azure GCC environment. While PowerApps run fine without routing traffic through the Azure Firewall, they fail with the error "We could not retrieve your app" when traffic is routed through the firewall. Despite trying an Application Rule in the Azure Firewall Policy to allow access to a range of FQDNs published by PowerApps and a Network rule using the Service Tag of PowerAppsInfra, the issue persists. You were seeking assistance to determine the correct Azure Firewall Policy to enable hosts in the Azure Commercial West US 2 region to run PowerApps residing in the Azure GCC environment.

    Solution:

    • I just figured out what my issue is. There were two issues that caused my problem. The first issue was that the hosts on which I was attempting to access the Power Apps applications from were located in sub-nets that recently were added to a route table which sends all of my traffic through an Azure Firewall. I had to update the Azure Firewall Policy to create a Network Rule that allows access to the Service Tag AzureConnectors. Once this was added, then I no longer received the Could Not Load errors. This however, then highlighted a different issue with the Power Apps. They were all owned by an Entra ID user account named powerappsuser and the password for this account had expired. This caused every attempt to run one of these power apps to put up a permissions screen for the SQL Server Connector but there was no information about which account needed permission and the Allow button was greyed out. Once I discovered that the powerappsowner account password was expired and I fixed that, the permissions screen displayed showing a request to give powerappsowner permissions to use the SQL Server connector and the Allow button was active. Clicking the Allow button fixed everything and my powerapps are working again.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    0 comments No comments

  5. JohnSebastian-3934 371 Reputation points
    2024-09-30T17:12:25.3066667+00:00

    Unfortunately, all of a sudden out of nowhere, I'm back to having the "We could not retrieve your app" problem again. I don't know what to think now. It has to be a problem with the Fiewall Policy because removing the hosts from the route that sends traffic through the firewall fixes the issue.

    Previously, when I added AzureConnector to my list of Service Tags, I was able to get past this but suddenly the error has returned with "AzureConnector" still selected.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.