Set up Virtual Network support for Power Platform
Azure Virtual Network support for Power Platform allows you to integrate Power Platform and Dataverse components with cloud services, or services hosted inside your private enterprise network, without exposing them to the public internet. This article helps you set up virtual network support in your Power Platform environments.
Prerequisites
- Review your apps, flows, and plug-in code to ensure they connect over your virtual network—they shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration allows such calls.
Note
To enable Virtual Network support for Power Platform, environments must be Managed Environments.
Prepare your tenant:
Have an Azure subscription with permissions to create a virtual network, subnet, and the enterprise policy resources.
Download PowerShell scripts for enterprise policies.
Give permissions:
In the Azure portal, assign users the Azure Network Administrator role.
In the Power Platform admin center, assign users the Power Platform Administrator role.
The following diagram shows virtual network support in a Power Platform environment.
Set up Virtual Network support
The following four steps help you set up your virtual network.
Register Microsoft.PowerPlatform as a resource provider for the subscription that contains your virtual network.
Register Microsoft.PowerPlatform as a resource provider
Sign in to the Azure portal and navigate to your subscription.
Select Resource providers.
Search for and select Microsoft.PowerPlatform.
Select Register.
More information: Register resource provider
Set up the virtual network and subnets
When you set up your virtual network, you need to delegate both a primary and a failover subnet. The failover subnet must be in a different region from the primary. For example, if your primary subnet is in WEST US, then the failover must be in EAST US.
Note
Power Platform doesn't support the CENTRAL US region. Find your virtual network location.
You need to delegate subnets that do not have any resources connected to them. Delegate the subnet to the Power Platform enterprise policies by running a subnet injection script for both your primary and failover subnets.
Important
Have at least 24 Classless Inter-Domain Routing (CIDR) addresses, which is 251 IP addresses and 5 reserved IP addresses, in the subnet you create. To delegate the same subnet to multiple environments, you might need more IP addresses in that subnet.
To allow internet access within Power Platform containers, create an Azure NAT gateway for the delegated subnets.
Review the number of IP addresses that are allocated to each subnet and consider the load of the environment. Both primary and failover subnets must have the same number of available IP addresses.
Create the enterprise policy
Create subnet injection enterprise policies, using the virtual network and subnet you delegated.
Grant read access to the Power Platform Administrator role.
Configure your Power Platform environment
Run the subnet injection script for your environment.
Validate the connection
Go to the Power Platform admin center and select the environment where you set up virtual network support.
Select History.
You should see that the enterprise policies link with your environment is successful if the Status says Succeeded.
See also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for