Edit

Share via

Set up Virtual Network support for Power Platform

  • Article

Azure Virtual Network support for Power Platform allows you to integrate Power Platform and Dataverse components with cloud services, or services hosted inside your private enterprise network, without exposing them to the public internet. This article helps you set up virtual network support in your Power Platform environments.

Prerequisites

  • Review your apps, flows, and plug-in code to ensure they connect over your virtual network—they shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration allows such calls.

Note

To enable Virtual Network support for Power Platform, environments must be Managed Environments.

  • Prepare your tenant:

    • Have an Azure subscription with permissions to create a virtual network, subnet, and the enterprise policy resources.

    • Download PowerShell scripts for enterprise policies.

  • Install MSI using PowerShell.

  • Give permissions:

    • In the Azure portal, assign users the Azure Network Administrator role.

    • In the Power Platform admin center, assign users the Power Platform Administrator role.

The following diagram shows virtual network support in a Power Platform environment.

Screenshot that shows the configurations for virtual network support in a Power Platform environment.

Set up Virtual Network support

The following four steps help you set up your virtual network.

  1. Register Microsoft.PowerPlatform as a resource provider for the subscription that contains your virtual network.

  2. Set up the virtual network and subnets.

  3. Create the enterprise policy.

  4. Configure your Power Platform environment.

Register Microsoft.PowerPlatform as a resource provider

  1. Sign in to the Azure portal and navigate to your subscription.

  2. Select Resource providers.

  3. Search for and select Microsoft.PowerPlatform.

  4. Select Register.

More information: Register resource provider

Set up the virtual network and subnets

When you set up your virtual network, you need to delegate both a primary and a failover subnet. The failover subnet must be in a different region from the primary. For example, if your primary subnet is in WEST US, then the failover must be in EAST US.

Note

Power Platform doesn't support the CENTRAL US region. Find your virtual network location.

  1. Set up the virtual network and subnets.

  2. You need to delegate subnets that don't have any resources connected to them. Delegate the subnet to the Power Platform enterprise policies by running a subnet injection script for both your primary and failover subnets.

    Important

    Be sure that the subnet you create has at least a /24 Classless Inter-Domain Routing (CIDR) address block, which equates to 251 IP addresses, including 5 reserved IP addresses. If you plan to use the same delegated subnet for multiple Power Platform environments, you may need a larger IP address block than /24.

    To allow internet access within Power Platform containers, create an Azure NAT gateway for the delegated subnets.

  3. Review the number of IP addresses that are allocated to each subnet and consider the load of the environment. Both primary and failover subnets must have the same number of available IP addresses.

Create the enterprise policy

  1. Create subnet injection enterprise policies, using the virtual network and subnet you delegated.

  2. Grant read access to the Power Platform Administrator role.

Configure your Power Platform environment

Run the subnet injection script for your environment.

Validate the connection

  1. Go to the Power Platform admin center and select the environment where you set up virtual network support.

  2. Select History.

    You should see that the enterprise policies link with your environment is successful if the Status says Succeeded.

    Screenshot showing your virtual network is linked to your environment.

See also