Edit

Share via


Virtual network (VNet) data gateway FAQs

This article contains a list of frequent asked questions (FAQs) about the virtual network (VNet) data gateways.

Does the virtual network data gateway support Azure Government cloud?

We support GCC L4 (Texas and Virginia) and L5 (DoD East). This feature is currently not supported in GCC L2.

How should I manage my Azure resources after deleting a VNet data gateway?

Customers shouldn't remove the subscription level RP assignment until at least three hours after deleting a gateway because we still need to clean up resources.

Why do I get the errors "InvalidConnectionCredentials" or "AccessUnauthorized" when accessing data sources using OAuth2 credentials from Dataflow Gen1 even though the credentials are updated recently (mid-stream token refresh issue)?

When using OAuth2 credentials in Dataflow Gen1, the gateway doesn't support refreshing tokens automatically when access tokens expire. Tokens typically expire 1 hour after the refresh starts, but can expire in less than 1 hour, depending on the data source and the tenant policies. Dataflow Gen2, semantic models, and data pipelines are able to refresh tokens mid-stream and shouldn't be impacted due to this.

Does the virtual network data gateway support Azure air gapped clouds?

We support air gapped clouds in US Nat East/West and US Sec East/West.

How can I secure connectivity from my network to Power BI?

Use Private links to secure this connectivity. For more information, go to Power BI Private Links documentation.

Where is my virtual network data gateway?

The virtual network data gateway is physically in the same region as your Azure virtual network. However, the metadata (name, details, data sources, encrypted credentials, and so on) for all your virtual network data gateways are stored in your tenant's default region. You can manage all virtual network data gateways when you select your tenant's home region in Power Platform admin center.

Does the virtual network data gateway support conditional access policies?

Yes. You can use a virtual network data gateway and your conditional access policies still applies.

What data sources are supported on the virtual network data gateway?

A complete list of supported data services:

What are the licensing requirements in Power BI to use virtual network data gateways?

Virtual network data gateways are a premium-only feature and are available only in Fabric (any F SKU) and Power BI Premium capacities (A4 SKU or higher or any P SKU). Fabric Trial capacities aren't supported for VNet Data Gateways.

Some of my data sources are connected to my virtual network using service endpoint and some using private endpoint. Can I connect to all of them using virtual network data gateways?

Yes

Why am I not able to create a service endpoint for my data source in my virtual network?

Review Azure virtual network documentation for restrictions (for example, region related) on VNets, endpoints, and associated Azure resources.

How do I create a private endpoint for my data sources and associate it to a virtual network?

Review the corresponding Azure data service product documentation to check if private endpoints are supported and on how to enable them.

Why can't I create a virtual network data gateway connection with OAuth authentication towards an Azure resource configured with private endpoints?

If you're getting errors such as Authorization failed for Public API route or DM_GWPipeline_Client_OAuthTokenLoginFailedError when trying to create a virtual network data gateway connection with OAuth authentication towards an Azure resource with a firewall blocking public internet access and configured with private endpoints, this means that you need to explicitly create a service endpoint for private authentication by calling the Microsoft Entra ID service. To resolve this situation, go to the virtual network subnet used for the virtual network data gateway, and enable the service endpoint Microsoft.AzureActiveDirectory as depicted in the following image.

Screenshot showing virtual network configuration on service endpoint for Microsoft Entra ID.

Can I use this feature if my data source is in East US and my Power BI home region is in East US2?

Yes, there's no dependency on the Power BI home region for this feature. If this feature is enabled in the region where the virtual network exists, you're able to create a new virtual network data gateway.

Can I choose the region where virtual network data gateways are created?

No. The virtual network data gateway is physically in the same region as your Azure virtual network. Currently, you also can't choose where the metadata (name, details, data sources, encrypted credentials, and so on) for all your virtual network data gateways are stored. That data is stored in your tenant's default region.

Does virtual network data gateway support cross-tenant scenarios?

No. The virtual network data gateway must be created in the same tenant as the Power BI tenant.

Can I use this feature if my tenant is in East US (United States) and Power platform environment is in Europe?

No, virtual network gateways are currently available only in your tenant's home region.

Why can't I connect to the data source?

Few areas to check:

  • Make sure your data source is up and running.
  • Make sure that the data source can be accessed from within the virtual network—specifically from the subnet delegated while creating the virtual network data gateway. For instance, you could deploy a VM in the subnet and check if you can connect to the data source.
  • The following Azure Network Security Groups (NSGs) could be required depending on your scenario:
    • Allow outbound traffic to the Microsoft Entra ID endpoint while using OAuth or Service Principal authentication to connect to a data source.
    • Allow outbound traffic to CA (Certificate Authority) while using HTTPS to connect to a data source.

How is the connectivity between the virtual network service and your virtual network secured?

The connectivity between the new virtual network service and your virtual network is via HTTPS and TLS 1.2.

Are there any known connectivity issues for SQL serverless with auto-pause?

For SQL serverless with auto-pause, the first request might fail if SQL is in a paused state, but the next ones will succeed.

Is there a delay when the virtual network data gateway is used for the first time or after a period of inactivity?

When used for the first time, the virtual network data gateway takes about 2 minutes to get setup. Similarly, if the virtual network data gateway isn't used for 30 minutes, you could experience a delay of about a minute the next time you use it.

Is this feature supported in sovereign clouds?

Yes, it's supported in sovereign cloud.

Do I need to manage any hardware to use the VNet data gateway?

No. The VNet data gateway provides fully managed compute. You can choose to scale the number of nodes in each cluster.

Can I create multiple virtual network data gateways for the same Azure data service?

Yes

Why can't I delete the subnet or the virtual network that delegated to Power Platform?

Check if there are other gateways using the same virtual network and subnet. To be able to delete, it would take up to 48 to 72 hours after the last gateway using this virtual network and subnet was removed.

How large does the delegated subnet need to be?

Beyond the five reserved IPs, our recommendation is to have approximately 5-7 more IPs so you can add more virtual network data gateways to the same virtual network and Subnet.

I'm a subscription owner but I get an insufficient permissions error when I try to create a virtual network data gateway.

Make sure you're explicitly in a role with the Microsoft.Network/virtualNetworks/subnets/join/action permission on the virtual network like the Azure Network Contributor role. This permission is required for creating a virtual network data gateway.

Does all of the data when using the virtual network data gateway remain on Microsoft's backbone network when accessing Azure Data Sources? How does security compare to the on-premises data gateway?

Yes, all the data going through a virtual network data gateway remains on the Azure backbone. We use an internal Microsoft tunnel that doesn't reach the public internet between the virtual network and Power BI service. On the other hand, the on-premises data gateway opens a connection to use Azure Relay to connect to the Power BI service.

Which Azure components need to be in the same region?

Considering the various resources: subscription, Microsoft.PowerPlatform resource provider, virtual network, subnet, and Power BI Service's home tenant. If you're using a service endpoint, the virtual network and subnet should be in the same region as the data to which you're connecting. If you're using a private endpoint, they can be in different regions. The data gateway configuration lives in the Power BI home tenant region.

Is there any way to connect from the subnet of one virtual network to the data source of another virtual network?

A virtual network data gateway can generally reach sources that are reachable within that same virtual network. If there's another virtual network that is isolated from the first, then another virtual network data gateway is necessary.

Any other known issues?

  • You can't delegate a subnet called gatewaysubnet to the Power Platform admin center. This restriction is because it's a reserved word for the Azure Gateway Subnet feature.
  • You can't change the region, subscription, or resource group for the virtual network on which the virtual network data gateway was created. This scenario isn't currently supported.
  • If an OAuth refresh that takes longer that one hour is canceled with the error "Invalid Connection Credentials" or timeout, the issue is likely that the credential expired.

What do I need to do if I reach the maximum limit of 1,000 data sources on a VNet data gateway, and how do I avoid reaching this limit?

Users are limited to 1,000 data sources on each VNet data gateway. If you reach the maximum number of data sources limit, verify that the number of data sources for each VNet data gateway isn't over the limit of 1000. To resolve any related issues, you can manually remove the data sources from the admin center or, alternatively, use the following PowerShell script to bulk-delete all data sources using a specified VNet data gateway that exceeds that limit. You'd need to replace the text "GatewayClusterID" with the specific VNet data gateway ID for this script to work.

## https://free.blessedness.top/powershell/module/datagateway/?view=datagateway-ps
## PowerShell version of '7.0.0' to run
## required module "DataGateway" Install-Module -Name DataGateway and sign in the same user who exceeded the 1000 limit
Connect-DataGatewayServiceAccount
 
## get the gateway information per the sign in person
$datasources = Get-DataGatewayClusterDatasource -GatewayClusterId <GatewayClusterId>;
foreach ($datasource in $datasources)
{
  $datasource
  "datasource id={2}, datasourceType={3}, datasource connection details={4}" -f $datasource.Id, $datasource.DatasourceType, $datasource.ConnectionDetails
 
  ## conditional logic to determine if name matches set
  ## Remove-DataGatewayClusterDatasource -GatewayClusterId $gw.Id -GatewayClusterDatasourceId $datasource.Id
}