Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The new and improved Power Platform admin center is now in public preview and on by default! We designed the new admin center to be easier to use, with task-oriented navigation that helps you achieve specific outcomes faster. We'll be publishing new and updated documentation as the new Power Platform admin center moves to general availability.
Azure Virtual Network support for Power Platform allows you to integrate Power Platform and Dataverse components with cloud services, or services hosted inside your private enterprise network, without exposing them to the public internet. This article helps you set up virtual network support in your Power Platform environments.
Prerequisites
Note
To allow Virtual Network support for Power Platform, environments must be Managed Environments.
Review your apps, flows, and plug-in code to ensure they connect over your virtual network. They shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration allows such calls. Learn more in Considerations to enable Virtual Network support for Power Platform Environment and in the FAQ.
Prepare your tenant, set up permissions:
- Have an Azure subscription where virtual network, subnet, and enterprise policy resources will be created.
- In the Azure portal, assign the Azure Network Administrator role such as the network contributor role or equivalent custom role.
- In the Microsoft Entra admin center, assign the Power Platform Administrator role.
Prepare to use PowerShell:
- Use Windows PowerShell or Install PowerShell Core
- Clone the GitHub repository to obtain the PowerShell scripts for enterprise policies
- Run the "install modules and setup subscription" scripts
The following diagram depicts the functions of the roles in the setup process for virtual network support in a Power Platform environment.
Set up Virtual Network support
- Set up the virtual network and subnets.
- Create the enterprise policy.
- Configure your Power Platform environment.
Set up the virtual network and subnets
Note
Power Platform doesn't support the Central US region. Review the list of supported regions.
Create virtual networks in Azure regions associated with your Power Platform environment. For example, if your Power Platform environment region is United States, your virtual networks should be created in the eastus or westus Azure regions. For a mapping of environment region to Azure regions, review the list of supported regions.
Important
- If there are two or more supported regions for the geo, such as the United States with eastus and westus, two virtual networks in different regions are required to create the enterprise policy for [business continuity and disaster recovery] or failover scenarios.
- Be sure that the subnet you create has been appropriately sized according to Estimating subnet size for Power Platform environments.
You can reuse existing virtual networks if desired. Subnets on the other hand, can't be reused in multiple enterprise policies.
Create a subnet in each of your virtual networks. Review the number of IP addresses that are allocated to each subnet and consider the load of the environment. Both subnets must have the same number of available IP addresses.
Important
Be sure that the subnet you create has at least a /24 Classless Inter-Domain Routing (CIDR) address block, which equates to 251 IP addresses, including five reserved IP addresses. If you plan to use the same delegated subnet for multiple Power Platform environments, you may need a larger IP address block than /24.
To allow public internet access for Power Platform components, create an Azure NAT gateway for the subnets.
Ensure that your Azure subscription is registered for the Microsoft.PowerPlatform resource provider by running the SetupSubscriptionForPowerPlatform.ps1 script.
Ensure your subnets don't have any resources connected to them. Delegate each subnet to Microsoft.PowerPlatform/enterprisePolicies by running the SetupVnetForSubnetDelegation.ps1 script for each subnet.
Learn more at Add or remove a subnet delegation.
Create the enterprise policy
Run the CreateSubnetInjectionEnterprisePolicy.ps1 script, using the virtual networks and subnets you delegated. Remember two virtual networks in different regions are required for geos that support two or more regions.
Important
If you wish to delete the virtual network or subnet, or are getting errors like
InUseSubnetCannotBeDeletedandSubnetMissingRequiredDelegation, you must delete the enterprise policy if it exists. You can delete the enterprise policy with the following command.Remove-AzResource -ResourceId $policyArmId -ForceVarious PowerShell scripts are available to get the enterprise policy for the ARM resource ID.
Grant read access for the enterprise policy to users with the Power Platform Administrator role.
Configure your Power Platform environment
Run the NewSubnetInjection.ps1 script to apply the enterprise policy to your environment.
Note
If you want to remove the enterprise policy from the environment, you can run the RevertSubnetInjection.ps1 script.
Validate the connection
- Sign in to the Power Platform admin center.
- In the navigation pane, select Manage.
- In the Manage pane, select Environments.
- On the Environments page, select an environment.
- In the command bar, select History.
- The enterprise policies link works if the Status shows Succeeded.