Access inbound restricted lakehouse data from Power BI using an OPDG gateway

2025-08-15

An on-premises data gateway (OPDG) can be used to establish cross-workspace communication between an open workspace and a workspace that restricts inbound public access. For example, if you want to access a lakehouse in an inbound restricted workspace from Power BI reports and semantic models in an open workspace, you can set up an OPDG. An OPDG is typically installed on a virtual machine or a physical server inside a private network and acts as a bridge between your data and Fabric cloud services.

Diagram illustrating a connection using an on-premises data gateway.

In this diagram, the open workspace (Workspace 1) contains Power BI reports and a semantic model that is bound to an OPDG. The OPDG enables the connection to the lakehouse in the inbound restricted workspace. This setup allows Power BI reports and semantic models in Workspace 1 to securely access the lakehouse in Workspace 2 without exposing it to public access.

This article explains how to connect an open workspace to data in a restricted workspace using an OPDG for Power BI semantic models.

Step 1: Create the workspaces

You need both an open workspace and a restricted workspace. In this article, the workspaces are referred to as follows:

The source workspace is the open workspace without public access restriction and is where you create the reports and semantic models.
The target workspace is the restricted workspace with public access restriction and is where you create the lakehouse.

To create the workspaces, follow these steps:

Create two workspaces in Fabric. For details, see Create a workspace.
In the tenant settings, enable workspace-level inbound access protection.
For the target workspace, set up workspace-level private links.

Note

This article refers to the workspaceFQDN, which is the fully qualified domain name (FQDN) of the workspace. The format is:

https://{workspaceID}.z{xy}.w.api.fabric.microsoft.com

https://{workspaceID}.z{xy}.onelake.fabric.microsoft.com

Where the {workspaceID} is the workspace ID without dashes, and {xy} is the first two letters of the workspace object ID (see also Connecting to workspaces).

You can find a workspace ID by opening the workspace page in the Fabric portal and noting the ID after "groups/" in the URL. You can also find a workspace FQDN using List workspace or Get workspace in the API.

Step 2: Create a lakehouse in the target (restricted) workspace

Create a lakehouse in the target workspace and upload a Delta Table to it by following these steps.

Create a lakehouse in the target workspace using the API. Use the format:
```
POST https://{workspaceFQDN}/v1/workspaces/{workspaceID}/lakehouses
```
where {workspaceFQDN} is {workspaceID}.z{xy}.w.api.fabric.microsoft.com

For example: POST https://aaaaaaaa000011112222bbbbbbbbbbbb.zaa.w.api.fabric.microsoft.com/v1/workspaces/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/lakehouses
Add data to the lakehouse by using Azure Storage Explorer to upload your Delta Table folder into the lakehouse. In Azure Storage Explorer, select ADLS Gen2 container or directory.
Sign in. Then enter a display name for the storage and enter the blob container URL in the following format:

https://{workspaceFQDN}/{workspaceID}/{lakehouseID}

where {workspaceFQDN} is {workspaceID}.z{xy}.onelake.fabric.microsoft.com

For example: POST https://aaaaaaaa000011112222bbbbbbbbbbbb.zaa.w.api.fabric.microsoft.com/v1/workspaces/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/bbbbbbbb-1111-2222-3333-cccccccccccc
Select Connect. The storage should now be displayed.
Under the Tables folder, upload the Delta Table you want to use (for example, the customers table).

Step 3: Create a semantic model in the open workspace

Now that you have a lakehouse in the restricted workspace, you can create a semantic model in the open workspace that references this lakehouse.

In the open workspace, create a semantic model using a definition with the same table schema as in the restricted lakehouse. Use the following API:
```
POST https://{workspaceFQDN}/v1/workspaces/{workspaceID}/semanticModels
```
where {workspaceFQDN} is {workspaceID}.z{xy}.w.api.fabric.microsoft.com
Before executing the semantic model creation, edit the data source to reference the restricted lakehouse’s connection string and lakehouse ID. Convert the definition/tables/customers.tmdl file from the semantic model definition from Base64 to JSON and copy the output.
Update the source with the restricted lakehouse’s connection string and database ID. Then convert the JSON back to Base64 and use it in your semantic model creation request.
Use the Get Lakehouse API to retrieve the connection string and lakehouse ID:
```
GET https://{workspaceFQDN}/v1/workspaces/{workspaceID}/lakehouses
```
where {workspaceFQDN} is {workspaceID}.z{xy}.w.api.fabric.microsoft.com

Step 4: Enable a gateway connection in the semantic model settings

To enable the semantic model to connect to the lakehouse in the restricted workspace, you need to set up an on-premises data gateway (OPDG) and bind it to the semantic model.

In the Power BI semantic model settings, turn on the toggle under Gateway Connections.
Install and configure an OPDG on a virtual machine as described in Install an on-premises data gateway.
Use the API to retrieve the Gateway ID for the installed OPDG instance:

https://api.fabric.microsoft.com/v1/gateways
In Power BI, create the OPDG SQL Server connection. Use the lakehouse's server name and lakehouse ID as the database, authenticate using OAuth2, and copy the resulting Connection ID.
Use the API to bind the semantic model to the gateway ID and connection ID:

https://api.powerbi.com/v1.0/myorg/groups/{workspaceID}/datasets/{SemanticModelID}/Default.BindToGateway
Verify the gateway binding. In the Semantic Model settings, refresh the page. The OPDG should now be shown as the active gateway.
Refresh the dataset and build a report.

Feedback

Was this page helpful?