Private links for accessing Power BI

Azure networking provides two security features, Azure Private Links and Private Endpoints, that enable Power BI to provide secure access. With Azure Private Links and Private Endpoints, data traffic is sent privately using Microsoft's backbone network infrastructure, and thus the data doesn’t traverse the Internet.

Private links ensure that Power BI users use the Microsoft private network backbone when going to resources in the Power BI service.

You can learn more about Azure Private Links.

Private links guarantee that traffic going into your organization’s Power BI artifacts (such as reports, or workspaces) always follow your organization's configured private link network path. User traffic to your Power BI artifacts must come from the established private link, and you can configure Power BI to deny all requests that don’t come from the configured network path.

Private links do not guarantee that traffic from Power BI to your external data sources, whether in the cloud or on premises, is secured. Rather, you must configure firewall rules and virtual networks that further secure your data sources.

Azure Private Endpoint for Power BI is a network interface that connects you privately and securely to the Power BI service, powered by Azure Private Link.

Private Endpoints integration enables Platform as a Service (PaaS) services to be deployed and accessed privately from customer's virtual and on-premises networks, while the service is still running outside of customer’s network. Private Endpoints is a single, directional technology that lets clients initiate connections to a given service, but it does not allow the service to initiate a connection into customer network. This Private Endpoint integration pattern provides management isolation, since the service can operate independently of customer network policy configuration. For multi-tenant services, this Private Endpoint model provides link identifiers to prevent access to other customers' resources hosted within the same service. When using Private Endpoints, only a limited set of other PaaS service resources can be accessed from services using the integration.

The Power BI service implements Private Endpoints, and not Service Endpoints.

Using Private Links with Power BI provide the following benefits:

  1. Private Links ensure that traffic will flow over the Azure backbone to a private endpoint for Azure cloud-based resources.

  2. Network traffic isolation from non-Azure based infrastructure, such as on-premises access, would require customers to have ExpressRoute or a Virtual Private Network (VPN) configured.

In Power BI, you can configure and use an endpoint that enables your organization to access Power BI privately. To configure private links you must be a Power BI administrator, and have permissions in Azure to create and configure resources such as Virtual Machines (VMs) and Virtual Networks (V-Net).

The steps that enable you to securely access Power BI from private links are:

  1. Enable private links for Power BI
  2. Create a Power BI resource in the Azure portal
  3. Create a virtual network
  4. Create a virtual machine (VM)
  5. Create a private endpoint
  6. Connect to a VM using Remote Desktop (RDP)
  7. Access Power BI privately from the virtual machine
  8. Disable public access for Power BI

The following sections provide additional information for each step.

To get started, log in into Power BI at app.powerbi.com as an administrator, and navigate to the Admin portal. Select Tenant settings and scroll to the Advanced Networking, then toggle the radio button to turn on Azure Private Link, as shown in the following image.

It takes approximately 15 minutes to configure a private link for your tenant, which includes configuring a separate FQDN for the tenant in order to communicate privately with Power BI services.

Turn on Azure Private Link

Once completed, you can move on to the next step.

Create a Power BI resource in the Azure portal

Next, sign into the Azure portal and create a Power BI resource, using an Azure Template. Replace the parameters in the ARM template example, shown in the following table, to create a Power BI resource.

Parameter Value
<resource-name> myPowerBIResource
<tenant-object-id> 52d40f65-ad6d-48c3-906f-1ccf598612d4

Create the ARM template

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
      {
          "type":"Microsoft.PowerBI/privateLinkServicesForPowerBI",
          "apiVersion": "2020-06-01",
          "name" : "<resource-name>",
          "location": "global",
          "properties" : 
          {
               "tenantId": "<tenant-object-id>"
          }
      }
  ]
}

In the dialog that appears, select the checkbox to agree to the terms and conditions, and then select Purchase.

Agree to terms and conditions, then purchase template

Create a virtual network

The next step is to create a virtual network and subnet. Replace the sample parameters in the table below with your own to create a virtual network and subnet.

Parameter Value
<resource-group-name> myResourceGroup
<virtual-network-name> myVirtualNetwork
<region-name> Central US
<IPv4-address-space> 10.1.0.0/16
<subnet-name> mySubnet
<subnet-address-range> 10.1.0.0/24
  1. On the upper-left side of the screen, select Create a resource > Networking > Virtual network or search for Virtual network in the search box.

  2. In Create virtual network enter or select the following information in the Basics tab:

    Settings Value
    Project details
    Subscription Select your Azure Subscription
    Resource Group Select Create new, enter <resource-group-name>, then select OK, or select an existing <resource-group-name> based on parameters.
    Instance details
    Name Enter <virtual-network-name>
    Region Select <region-name>

    The following image shows the Basics tab.

    Create a virtual network, Basics tab

  3. Next, select the IP Addresses tab or select the Next: IP Addresses button at the bottom of the form. In the IP Addresses tab, enter the following information:

    Settings Value
    IPv4 address space Enter <IPv4-address-space>

    Create a virtual network, IP Addresses tab

  4. In Subnet name select the word default, and in Edit subnet, enter the following information:

    Settings Value
    Subnet name Enter <subnet-name>
    Subnet address range Enter <subnet-address-range>

    Create a virtual network, Edit subnet tab

  5. Then select Save, and then select the Review + create tab, or select the Review + create button.

  6. Then, select Create.

Once you've completed these steps, you can create a virtual machine (VM), as described in the next section.

Create a virtual machine (VM)

The next step is to create virtual network, and the subnet to host the virtual machine (VM).

  1. On the upper-left side of the screen in your Azure portal, select Create a resource > Compute > Virtual Machine.

  2. In Create a virtual machine - Basics enter or select the following information:

    Settings Value
    Project details
    Subscription Select your Azure Subscription
    Resource Group Select myResourceGroup which you created in the previous section.
    Instance details
    Name Enter myVm
    Region Select Central US
    Availability options Leave the default No infrastructure redundancy required
    Image Select Windows 10 Pro
    Size Leave the default Standard DS1 v2
    ADMINISTRATOR ACCOUNT
    Username Enter a username of your choosing
    Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements
    Confirm Password Reenter password
    INBOUND PORT RULES
    Public inbound ports Leave the default None
    SAVE MONEY
    Already have a Windows license? Leave the default No
  3. Then select Next: Disks

  4. In Create a virtual machine - Disks, leave the defaults and select Next: Networking.

  5. In Create a virtual machine - Networking, select the following information:

    Settings Value
    Virtual network Leave the default MyVirtualNetwork
    Address space Leave the default 10.1.0.0/24
    Subnet Leave the default mySubnet (10.1.0.0/24)
    Public IP Leave the default (new) myVm-ip
    Public inbound ports Select **Allow selected **
    Select inbound ports Select RDP
  6. Select Review + create. You're taken to the Review + create page where Azure validates your configuration.

  7. When you see the Validation passed message, select Create.

Create a private endpoint

The next step, which is described in this section, is to create a private endpoint for Power BI.

  1. On the upper-left side of the Azure portal screen Create a resource > Networking > Private Link Center (Preview).

  2. In Private Link Center - Overview, on the option to Build a private connection to a service, select Create private endpoint.

  3. In Create a private endpoint (Preview) - Basics enter or select the following information:

    Settings Value
    Project details
    Subscription Select your Azure Subscription
    Resource Group Select myResourceGroup. You created this in the previous section
    Instance details
    Name Enter myPrivateEndpoint. If this name is taken, create a unique name
    Region Select Central US

    The following image shows the Create a private endpoint - Basics window.

    Create a private endpoint, basics

  4. Once that information is complete, select Next: Resource and in the Create a private endpoint - Resource page, enter or select the following information:

    Settings Value
    Connection method Select connect to an Azure resource in my directory
    Subscription Select your subscription
    Resource type Select Microsoft.PowerBI/privateLinkServicesForPowerBI
    Resource myPowerBIResource
    Target sub-resource Tenant

    The following image shows the Create a private endpoint - Resource window.

    Create a private endpoint, resource

  5. Once that information is properly input, select Next: Configuration and in the Create a private endpoint (Preview) - Configuration and enter or select the following information:

    Settings Value
    NETWORKING
    Virtual network Select myVirtualNetwork
    Subnet Select mySubnet
    PRIVATE DNS INTEGRATION
    Integrate with private DNS zone Select Yes
    Private DNS Zone Select
    (New)privatelink.analysis.windows.net
    (New)privatelink.pbidedicated.windows.net
    (New)privatelink.tip1.powerquery.microsoft.com

    The following image shows the Create a private endpoint - Configuration window.

    Create a private endpoint, configuration

    Next select Review + create, which displays the Review + create page where Azure validates your configuration. When you see the Validation passed message, select Create.

Connect to a VM using Remote Desktop (RDP)

Once you've created your virtual machine, called myVM, connected to it from the Internet using the following steps:

  1. In the portal's search bar, enter myVm.
  2. Select the Connect button. Once you select the Connect button, Connect to virtual machine opens.
  3. Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.
  4. Open the downloaded .rdp file.
  5. If prompted, select Connect.
  6. Enter the username and password you specified when creating the VM in the previous step.
  7. Select OK.
  8. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.

Access Power BI privately from the VM

The next step is to access Power BI privately, from the virtual machine you created in the previous step, using the following steps:

  1. In the Remote Desktop of myVM, open PowerShell.

  2. Enter nslookup 52d40f65ad6d48c3906f1ccf598612d4-api.privatelink.analysis.windows.net.

  3. You'll receive a message similar to this:

    Server:  UnKnown
    Address:  168.63.129.16
    
    Non-authoritative answer:
    Name:    52d40f65ad6d48c3906f1ccf598612d4-api.privatelink.analysis.windows.net
    Address:  10.1.0.4
    
  4. Open the browser and go to app.powerbi.com to access Power BI privately.

Disable public access for Power BI

Lastly, you need to disable public access for Power BI.

Log in into the app.powerbi.com as an administrator, and navigate to the Admin portal. Select Tenant settings and scroll to the Advanced networking section. Enable the toggle button in the Block Public Internet Access section, as shown in the following image. It takes approximately 15 minutes for the system to disable your organization's access to Power BI from the public Internet.

And that's it - after following these steps, Power BI for your organizations is only accessible from private links, and not accessible from the public Internet.

Considerations and limitations

There are a few considerations to keep in mind while working with private links in Power BI:

  • Any use of external images or themes are not available when using a private link environment, and may affect custom visuals
  • Export services, such as Export to PDF, exporting to Excel from a report, and other export services do not work when using a private link environment
  • SQL Server Reporting Services reports, commonly known as RDL files (*.rdl format files) do not render in private link environments
  • If Internet access is disabled, and if the dataset or dataflow is connecting to a Power BI dataset or dataflow as a data source, the connection will fail

Next steps

More questions? Try asking the Power BI Community