Microsoft
Microsoft
MicrosoftTo implement the architecture described in the article, the following rules must be configured in your Azure Firewall Policy. These rules ensure secure, cross-region connectivity from the Power Platform Delegated Subnet to Azure PaaS resources.
These rules handle the core connectivity and DNS resolution.
| Priority | Name | Protocol | Source | Destination | Destination Port | Description |
| 100 | Allow-DNS-Proxy | UDP/TCP | PowerPlatform-Subnet | Azure-Firewall-IP | 53 | Allows Power Platform to use Firewall as a DNS Proxy. |
| 110 | Allow-SQL-CrossRegion | TCP | PowerPlatform-Subnet | SQL-Private-Endpoint-IP | 1433 | Secure TDS traffic to SQL Server in Region B. |
| 120 | Allow-Storage-HTTPS | TCP | PowerPlatform-Subnet | Storage-Private-Endpoint-IP | 443 | Secure HTTPS access to Blob/Data Lake in Region B. |
| 130 | Allow-KeyVault | TCP | PowerPlatform-Subnet | KV-Private-Endpoint-IP | 443 | Access to secrets and managed identities. |
Use these for outbound dependencies and management traffic where IP addresses might change.
| Priority | Name | Source | Protocol:Port | Target FQDNs / Tags | Description |
| 200 | PowerPlatform-Deps | PowerPlatform-Subnet | HTTPS:443 | PowerPlatformPlex (Service Tag) | Required for Power Platform infrastructure health. |
| 210 | Azure-Monitor | PowerPlatform-Subnet | HTTPS:443 | AppServiceEnvironment / WindowsUpdate | General platform maintenance and logging. |
This a great article. one small caveat is you cant use managed identities on Power Automate/Apps. it just doesn't support them.
