| title | description | ms.component | ms.topic | ms.date | author | ms.author | ms.reviewer | ms.subservice | ms.custom | search.audienceType | |
|---|---|---|---|---|---|---|---|---|---|---|---|
Set up Virtual Network support for Power Platform |
Learn how to set up Azure Virtual Network support for Power Platform. |
pa-admin |
conceptual |
05/28/2024 |
ritesp |
ritesp |
sericks |
admin |
admin-security |
|
Azure Virtual Network support for Power Platform allows you to integrate Power Platform and Dataverse components with cloud services, or services hosted inside your private enterprise network, without exposing them to the public internet. This article helps you set up virtual network support in your Power Platform environments.
- Review your apps, flows, and plug-in code to ensure they connect over your virtual network—they shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration allows such calls.
Note
To enable Virtual Network support for Power Platform, environments must be Managed Environments.
-
Prepare your tenant:
-
Have an Azure subscription with permissions to create a virtual network, subnet, and the enterprise policy resources.
-
Download PowerShell scripts for enterprise policies.
-
-
Give permissions:
-
In the Azure portal, assign users the Azure Network Administrator role.
-
In the Power Platform admin center, assign users the Power Platform Administrator role.
-
The following diagram shows virtual network support in a Power Platform environment.
:::image type="content" source="media/vnet-support/vnet-support-configurations.png" alt-text="Screenshot that shows the configurations for virtual network support in a Power Platform environment." lightbox="media/vnet-support/vnet-support-configurations.png":::
The following four steps help you set up your virtual network.
-
Register Microsoft.PowerPlatform as a resource provider for the subscription that contains your virtual network.
-
Sign in to the Azure portal and navigate to your subscription.
-
Select Resource providers.
-
Search for and select Microsoft.PowerPlatform.
-
Select Register.
More information: Register resource provider
When you set up your virtual network, you need to delegate both a primary and a failover subnet. The failover subnet must be in a different region from the primary. For example, if your primary subnet is in WEST US, then the failover must be in EAST US.
Note
Power Platform doesn't support the CENTRAL US region. Find your virtual network location.
-
You need to delegate subnets that do not have any resources connected to them. Delegate the subnet to the Power Platform enterprise policies by running a subnet injection script for both your primary and failover subnets.
[!IMPORTANT] Have at least 24 Classless Inter-Domain Routing (CIDR) addresses, which is 251 IP addresses and 5 reserved IP addresses, in the subnet you create. To delegate the same subnet to multiple environments, you might need more IP addresses in that subnet.
To allow internet access within Power Platform containers, create an Azure NAT gateway for the delegated subnets.
-
Review the number of IP addresses that are allocated to each subnet and consider the load of the environment. Both primary and failover subnets must have the same number of available IP addresses.
-
Create subnet injection enterprise policies, using the virtual network and subnet you delegated.
-
Grant read access to the Power Platform Administrator role.
Run the subnet injection script for your environment.
-
Go to the Power Platform admin center and select the environment where you set up virtual network support.
-
Select History.
You should see that the enterprise policies link with your environment is successful if the Status says Succeeded.
:::image type="content" source="media/vnet-support/vnet-success-linked.png" alt-text="Screenshot showing your virtual network is linked to your environment." lightbox="media/vnet-support/vnet-success-linked.png":::