Edit

Share via

Set up virtual network support for Power Platform

Note

The Power Platform Virtual Network community on Microsoft Viva Engage is available. You can post any questions or feedback that you have about this functionality. You can join by filling out a request through the following form: Request access to Finance and Operations Viva Engage Community.

By using Azure virtual network support for Power Platform, you can integrate Power Platform and Dataverse components with cloud services or services hosted inside your private enterprise network without exposing them to the public internet. This article explains how to set up virtual network support in your Power Platform environments.

Prerequisites

Note

To enable virtual network support for Power Platform, environments must be Managed Environments.

  • Review your Power Platform resources: Check your apps, flows, and plug-in code to ensure they connect over your virtual network. They shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration lets such calls. Learn more in Considerations to enable virtual network support for Power Platform environment and in the Frequently asked questions.

  • Prepare your tenant and set up permissions:

    • Azure subscription: Make sure you have an Azure subscription where you create virtual network, subnet, and enterprise policy resources.
    • Assign roles: Make sure you have the required roles to create resources and enterprise policy.
      • In the Azure portal, assign the Azure network administrator role, such as the network contributor role or an equivalent custom role.
      • In the Microsoft Entra admin center, assign the Power Platform administrator role.

  • Prepare to use PowerShell:

The following diagram shows the functions of the roles in the setup process for virtual network support in a Power Platform environment.

Screenshot of the configurations for virtual network support in a Power Platform environment.

Important

Power Platform performs active health checks when set up within the delegated network. As a result, expect periodic requests to verify your connection to the configured DNS server via TCP on port 53. To ensure health reporting is accurate, allowlist this request from the subnet that makes requests. You can validate the functionality of this setting by using the diagnostic tooling with the Test-NetworkConnectivity command. Learn more about this topic in Troubleshoot virtual network issues.

Clarifications

  • You must create your virtual networks in Azure regions associated with your Power Platform environment. For example, if your Power Platform environment region is United States, create your virtual networks in the eastus and westus Azure regions. For a mapping of environment region to Azure regions, review the list of supported regions.

  • If there are two or more supported regions for the geography, such as the United States with eastus and westus, you need two virtual networks in different regions to create the enterprise policy. This requirement applies to both production and nonproduction environments.

  • Make sure that you appropriately size the subnet you create according to Estimating subnet size for Power Platform environments. If more than one subnet is required, both subnets must have the same number of available IP addresses. After you delegate the subnet to Power Platform, you need to contact Microsoft Support to change the subnet range.

  • You can reuse existing virtual networks, if desired. The same subnet can't be reused in multiple enterprise policies.

Set up virtual network support

You can configure and enable virtual network support by using PowerShell scripts or through manual steps. In both methods, the steps to follow can be categorized as follows.

  1. Set up the virtual network and subnets.
  2. Create the enterprise policy.
  3. Configure your Power Platform environment.

Setup with PowerShell

  1. Install and load the Microsoft.PowerPlatform.EnterprisePolicies module.

    Install-Module Microsoft.PowerPlatform.EnterprisePolicies
Import-Module Microsoft.PowerPlatform.EnterprisePolicies

  2. Configure your virtual network and subnet for delegation to Power Platform. Run this command for each virtual network that has a delegated subnet. Review the number of IP addresses that are allocated to each subnet and consider the load of the environment.

    New-VnetForSubnetDelegation -SubscriptionId "00000000-0000-0000-0000-000000000000" -VirtualNetworkName "myVnet" -SubnetName "mySubnet"

    Important

  3. Create your enterprise policy using the virtual networks and subnets you delegated. Remember two virtual networks in different regions are required for geographies that support two or more regions.

    New-SubnetInjectionEnterprisePolicy -SubscriptionId "00000000-0000-0000-0000-000000000000" -ResourceGroupName "myResourceGroup" -PolicyName "myPolicy" -PolicyLocation "unitedstates" -VirtualNetworkId "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet" -SubnetName "default"

  4. (Optional) Grant read access for the enterprise policy to users with the Power Platform administrator role.

  5. To link your newly created policy, run the following command.

    Enable-SubnetInjection -EnvironmentId "00000000-0000-0000-0000-000000000000" -PolicyArmId "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.PowerPlatform/enterprisePolicies/myPolicy"

    Tip

    If you need a different account to link the policy, use the -ForceAuth switch to ensure you're prompted to sign in to a new account.

Manual setup

  1. Register the following resource providers in your subscription. For information on how to register a resource provider, see Register resource provider.

    • Microsoft.Network
    • Microsoft.PowerPlatform

  2. Register the following feature in your subscription. For information on how to register a feature, see Register preview feature .

    • enterprisePoliciesPreview

  3. Create your virtual network and subnets by following the guidance at Create a virtual network.

    Note

    You can skip creating the bastion host. It isn't necessary for the Power Platform virtual network functionality.

  4. Use an existing subnet or create a new subnet and delegate it Microsoft.PowerPlatform/enterprisePolicies. For more information, see Add or remove a subnet delegation.

  5. To verify if a subnet is successfully delegated, go to your subnet and check the Delegated to column, as shown in the following image.

    Screenshot of a delegated subnet in the Azure portal.

  6. After you create paired virtual networks, you can view them in your Azure resource group, as shown in the following image.

    Screenshot of virtual networks in your Azure resource group.

  7. Make sure you capture the necessary details from the virtual networks you created, such as the following information:

    • VnetOneSubnetName
    • VnetOneResourceId
    • VnetTwoSubnetName
    • VnetTwoResourceId

  8. Deploy a custom template in the Azure portal. Select the Build your own template in the editor link and copy and paste the following JSON script.

    {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "policyName": {
            "type": "string",
            "metadata": {
                "description": "The name of the Enterprise Policy."
            }
        },
        "powerplatformEnvironmentRegion": {
            "type": "string",
            "metadata": {
                "description": "Geography of the PowerPlatform environment."
            }
        },
        "vNetOneSubnetName": {
            "type": "string"
        },
        "vNetOneResourceId": {
            "type": "string",
                  "metadata": {
                "description": "Fully qualified name, such as /subscription/{subscriptionid}/..."
            }
        },
        "vNetTwoSubnetName": {
            "defaultValue": "",
            "type": "string"
        },
        "vNetTwoResourceId": {
            "defaultValue": "",
            "type": "string",
                  "metadata": {
                "description": "Fully qualified name, such as /subscription/{subscriptionid}/..."
            }
        }
    },
    "variables": {
        "vNetOne": {
            "id": "[parameters('vNetOneResourceId')]",
            "subnet": {
                "name": "[parameters('vNetOneSubnetName')]"
            }
        },
        "vNetTwo": {
            "id": "[parameters('vNetTwoResourceId')]",
            "subnet": {
                "name": "[parameters('vNetTwoSubnetName')]"
            }
        },
        "vNetTwoSupplied": "[and(not(empty(parameters('vNetTwoSubnetName'))), not(empty(parameters('vNetTwoResourceId'))))]"
    },
    "resources": [
        {
            "type": "Microsoft.PowerPlatform/enterprisePolicies",
            "apiVersion": "2020-10-30-preview",
            "name": "[parameters('policyName')]",
            "location": "[parameters('powerplatformEnvironmentRegion')]",
            "kind": "NetworkInjection",
            "properties": {
                "networkInjection": {
                    "virtualNetworks": "[if(variables('vNetTwoSupplied'), concat(array(variables('vNetOne')), array(variables('vNetTwo'))), array(variables('vNetOne')))]"
                }
            }
        }
    ]
}

  9. Save the template and fill in the details to create the enterprise policy, which includes the following information:

    • Policy name: Name of the enterprise policy that appears in the Power Platform admin center.
    • Location: Select the location of the enterprise policy, corresponding with the Dataverse environment's region:
      • unitedstates
      • southafrica
      • uk
      • japan
      • india
      • france
      • europe
      • germany
      • switzerland
      • canada
      • brazil
      • australia
      • asia
      • uae
      • korea
      • norway
      • singapore
      • sweden
      • usgov
    • VnetOneSubnetName: Enter the name of the subnet from the first virtual network.
    • VnetOneResourceId: Enter the resource ID from the first virtual network.
    • VnetTwoSubnetName: Enter the name of the subnet from the second virtual network.
    • VnetTwoResourceId: Enter the resource ID from the second virtual network. It should match the strings from JSON script, for example: vNetOneResourceId, vNetOneSubnetName

  10. Select Review + create to finalize the enterprise policy.

    Screenshot of selecting Review and create to finalize the enterprise policy.

  11. (Optional) Grant read access for the enterprise policy to users with the Power Platform administrator role.

  12. To assign your policy to your environment, sign in to the Power Platform admin center.

    1. In the navigation pane, select Security.
    2. In the Security pane, select Data and privacy.
    3. In the Data protection and privacy page, select Azure Virtual Network policies. The Virtual Network policies pane is displayed.
    4. Select the environment you want to assign to the enterprise policy, select the policy, and select Save. Now the enterprise policy is linked to the environment.

    Important

    You can remove an enterprise policy from an environment only through PowerShell by using Disable-SubnetInjection.

    Disable-SubnetInjection -EnvironmentId "00000000-0000-0000-0000-000000000000"

  13. Validate the policy association by signing in to the Power Platform admin center.

    1. In the navigation pane, select Manage.
    2. In the Manage pane, select Environments.
    3. On the Environments page, select an environment.
    4. In the command bar, select History.
    5. Verify that the Status shows Succeeded.

Related content

  • Last updated on