Configure Virtual Network support for outbound connections from agents

When you use Virtual Network support in a Power Platform environment, you can securely connect to and integrate Power Platform and Dataverse components with cloud services, or services hosted inside your private enterprise network, without exposing them to the public internet.

Copilot Studio integrates with Power Platform virtual networks over a private endpoint for these scenarios:

• Agents that retrieve keys from Azure Key Vault over HTTP
• Agents that send telemetry to a private endpoint-enabled instance of Application Insights
• Agents that use a virtual network-supported connector (like the SQL Server connector) to get data from Azure SQL Server

If you set up a virtual network for a Power Platform environment and enable Copilot Studio to capture telemetry with Application Insights or make HTTP requests with your agent over the virtual network, calls from Power Platform to Azure resources and Application Insights go through your private network.

Prerequisites

• Your environment must be a Managed Environment in Power Platform.
• You must have Virtual Network support enabled for your Power Platform environment. Also see Set up Virtual Network support for Power Platform to create virtual networks and delegate subnets that can connect between Azure resources and your Power Platform environment.
• You must be a Power Platform tenant admin or have the Environment Admin role.

Enable virtual network support for your environment

To connect to services through a private endpoint, you must have virtual network support enabled for Power Platform.

You can enable virtual network support manually by following the instructions at Set up Virtual Network support for Power Platform to create virtual networks and delegate subnets that can connect between Azure resources and your Power Platform environment.

You can also use a prebuilt Azure Resource Manager (ARM) template to configure and connect your Power Platform environment with Azure and enable virtual network support:

1. Download the ARM template from the Microsoft Copilot Studio samples repository on GitHub.

2. Open PowerShell, connect to your Azure subscription, and deploy the template with the [New-AzDeployment] command(/powershell/module/az.resources/new-azdeployment#description) as follows:

   Connect-AzAccount -Subscription "<Azure subscription>"
   New-AzSubscriptionDeployment -Name "<name of deployment>" -TemplateFile "<template.json>" -Location "<Azure geo>"
   

   where:

   • <Azure subscription> is your subscription ID.
   • <name of deployment> is the name you want to give this deployment.
     The name can be anything you choose, but defaults to the template's filename if you leave it blank.
   • <template.json> is the path and filename of the template file.
   • <Azure geo> is the geographic region where you want the deployment management files to go, such as West US. The region doesn't control where the template creates the resources.

For more information about ARM templates and management, see Deploy resources with ARM templates and Azure PowerShell.

Note

You only need to configure your virtual network by using either the ARM template or manually. You don't need to do both.

Review the overview about Virtual Network support for Power Platform. Then, follow the instructions at Set up Virtual Network support for Power Platform to create virtual networks and delegate subnets that can connect between Azure resources and your Power Platform environment.

Retrieve keys from Azure Key Vault over HTTP

When you set up a virtual network for your Power Platform environment, you can configure your Copilot Studio agents to retrieve information from Azure resources by using HTTP calls.

First, set up a private link and endpoint for Azure Key Vault. After validating that the link is working, add an HTTP Request node from the agent's authoring canvas in Copilot Studio to connect to Key Vault.

Set up a private link

Follow the instructions in Integrate Key Vault with Azure Private Link to:

• Create a new key vault and establish a private link that scopes the link to your Azure subscription and the resource group where your Key Vault is located, or Establish a private link connection to an existing key vault.
• Validate that the private link to Key Vault is working.

Tip

If your endpoint isn't correct, review the instructions and related articles for private links and private endpoints in the Diagnose private links configurations issues on Azure Key Vault article.

Use HTTP Request nodes to connect over a private network

After you configure the private link to Key Vault, add an HTTP Request node to an agent in Copilot Studio to connect over the private network. Specify the connection details to the private endpoint in the node. When the agent reaches that node in the conversation, it makes the request and retrieves the information.

1. In Copilot Studio, on the top menu bar, select an environment where Virtual Network support is enabled.

2. Create or open an existing agent in that environment. If you create a new agent, you can skip the initial configuration steps in the conversational canvas.

3. With the agent open, create or modify a topic in the authoring canvas.

4. To add an HTTP request node to the topic, follow the instructions in Make HTTP requests.

5. Use the following settings in the HTTP Request node:

   • URL: Enter the URL for your Azure Key Vault private endpoint, for example, https://yourkeyvault.vault.azure.net/secrets?api-version=7.3. Replace yourkeyvault with the name of your Key Vault.

   • Method: Select GET to retrieve secrets from Key Vault.

     • Headers and body: Select Edit.

     

   • In HTTP Request properties, enter Authorization as the Key, and Bearer <access-token> as the Value, where <access-token> is your Azure access token.

     

6. Save the topic, and test that the node works by triggering the conversation in the agent's test canvas.

Send telemetry to a private endpoint-enabled instance of Application Insights

When you set up a virtual network for your Power Platform environment, you can configure your Copilot Studio agents to send telemetry to a private endpoint-enabled instance of Application Insights. By doing this, you can monitor and analyze the performance and usage of your agents without exposing the data to the public internet.

First, set up a private link and endpoint for Application Insights. Then, after validating that the link is working, connect Copilot Studio to Application Insights and it sends telemetry data over the private link.

Set up a private link

By using an Azure Private Link to Azure Monitor, Copilot Studio can use your virtual network to send agent telemetry to Azure Monitor over a private IP address instead of a public IP address.

Azure Monitor is the backend data platform that collects and stores telemetry data, including Application Insights data.

Follow the instructions in Configure private link for Azure Monitor and:

• Create an Azure Monitor Private Link Scope (AMPLS) to scope the link to your Azure subscription and the resource group where your Azure Monitor resources are located.
• Connect Application Insights component resources to the AMPLS.
• Create a private endpoint for the Application Insights resources you added to the scope that Copilot Studio can connect to in your virtual network and over your subnet. This endpoint sends telemetry data from the agent to the AMPLS.
• Validate that the private link to Azure Monitor is working.

You can also configure which networks can connect to resources in your AMPLS, without using a scope, in the Network Isolation page for your AMPLS. Directly configuring networks is useful if you have multiple virtual networks and want to restrict access to the AMPLS to only certain networks or subnets.

Tip

If your endpoint isn't correct, review the instructions and related articles for private links and private endpoints in the Configure private link for Azure Monitor article.

Connect Copilot Studio to Application Insights

After you set up the private link, you can connect Copilot Studio to Application Insights. It uses your virtual network to send telemetry data.

Follow the instructions in Capture telemetry with Application Insights.

Important

Ensure you get the correct Connection string for the private endpoint-enabled Application Insights.

You can validate it's the correct resource by checking the values under Resource group and Subscription on the Overview section for Application Insights in the Azure portal.

Telemetry from Copilot Studio agents appears in the Application Insights resource you configured. You can use the Live Metrics Stream to see telemetry data in real time, or use the Logs section to query and analyze the data.

Use virtual network-supported connectors to get data

When you set up a virtual network for your Power Platform environment, you can configure your Copilot Studio agents to use virtual network-supported connectors to connect to data and services over your private network.

You can use any connector that has native support for virtual networks.

By using virtual network-supported connections, you can securely connect to your cloud-hosted data sources, such as Azure SQL or SQL Server, over private endpoints without exposing them to the internet.

To add and configure the connector you want to use in a topic or tool, follow the instructions in Use Power Platform connectors in Copilot Studio.