This document provides a comprehensive guide on how to publish Power BI reports with a privately configured hub instance. It covers essential prerequisites, licensing requirements, permissions, network configurations, and step-by-step instructions for deploying and configuring a Power BI Virtual Network Data Gateway. By following this guide, you will be able to effectively manage and share your Power BI reports, ensuring seamless access to critical data while maintaining robust security measures.
For more information on implementing private networking for FinOps hub please visit this blog post.
Prerequisites
Licensing requirements
- VNET data gateways require a Power BI Embedded or Fabric capacity license (A4 SKU or higher or any F SKU).
- This feature is currently not supported in GCC L2. There is support for GCC L4 (Texas and Virginia) and L5 (DoD East). As well as air gapped clouds in US Nat East/West and US Sec East/West.
- Self-hosted and personal data gateways do not have any specific licensing requirements.
- Sharing published reports with others requires Power BI Pro, Premium Per-User or Fabric Capacity.
Permissions
Access to Azure Data Lake can be granted via
- RBAC with a minimum of storage blob data reader permissions
- SAS key
- Storage account key
Network
To provision a Virtual Network Data Gateway from within the Power BI service, one should first create a dedicated subnet for the data gateway.
This subnet should be delegated to ‘Microsoft.PowerPlatform/vnetaccesslinks’. Skipping this step will prevent the Power BI service from discovering the virtual network.
Configuration
Once you have configured your private networking settings for your hub instance, follow this guide to set up your first Power BI report. If you are using the Power BI platform as a reporting tool, the next step is to publish the Power BI reports and share the reports across your organization, enhancing the FinOps culture!
Configure public access to the Storage Account
- After completing the deployment, proceed to configure the Storage account endpoints.
- Navigate to the created Storage account in the Azure portal.
- Go to Networking > Firewalls and virtual networks.
- Select Enabled from all networks.
Note: This is needed if you publish the Power BI Templates. Alternatively, you can whitelist the Public IP address of anyone who will be publishing the templates. This will be needed temporarily until the templates are published and you can safely switch to ‘Enabled from selected virtual networks and IP addresses’ option after the templates have been published.
- Click Save to apply the changes.
Publishing the report
Follow the guidance here to set up your Power BI Templates. Once the Power BI templates have been configured and saved, publish them to an existing workspace or a new workspace.
Note: Once the Power BI Templates are published, you can choose the ‘Enabled from selected virtual networks and IP addresses’ option in ‘Public Network Access’ on the storage account. You will need to set up and configure the Power BI Virtual Network Data Gateway so these reports can be used the same to continue refreshing your data.
Deploying a Virtual Network Data Gateway
Follow these steps to deploy a Virtual Network Data Gateway which will act as a proxy for the Power BI Service to access the FinOps Toolkit data.
- Log in to app.powerbi.com.
- Click on the ‘Settings’ icon to view the settings.
- Choose ‘Manage Connections and Gateways’.
- Go to the ‘Virtual network data gateways’ Tab.
- Click on ‘New’.
- Choose the License capacity and Azure Subscription and other details as shown in the screenshot below:
- Click on ‘Save’.
Update the report
Now the published report needs to be updated to use the data gateway created in the previous step.
- Now, on the left bar, locate ‘Workspaces’ and find the workspace where you published the Power BI Templates.
- Click on the uploaded reports ‘Semantic Model’.
- Click on ‘File’ > ‘Settings’
- Before you configure your gateway connection you may see a prompt to edit your credentials, choose the desired authentication method and proceed to authenticate.
- Under ‘Semantic Models’ > ‘Gateway and Cloud Connections’ use the toggle button to turn on ‘Use an On-premises or VNet data gateway’.
- Once turned on, click on the drop-down button under Actions to show the data sources.
- Click on ‘Add to VNet’ for the AzureDataLakeStorage.
- It will come pre-filed with information for ‘New Connection’.
- Provide a connection name.
- Choose the ‘Authentication Method’ and click on ‘Create’.
- Turn on the gateway connection and repeat these steps for the ‘Web’ data source.
- In this configuration, make sure to set the Authentication method as anonymous.
- Go back to ‘Gateway and Cloud Connections’ under ‘Semantic Model’.
- Toggle the “Use an On-premises or VNet data gateway” switch on once again and for the ‘Maps to’ field, for both data sources, choose the connection you created earlier and click ‘Apply’.
- Further, within the same window scroll down to locate the ‘Refresh’ option and turn on the refresh schedule as represented below and ‘Apply’ the changes.
Refresh the report
Once the report has been updated to use the newly created data gateway you can test everything by refreshing the report.
- Open the ‘Semantic Model’ once again and ‘Refresh’ the data using ‘Refresh Now’.
- The time it takes to complete depends on the volume of the data. If the connectivity is functioning, an updated timestamp will appear once the data is refreshed.
Conclusion
In conclusion, there are several options to access FinOps hub data when it is secured behind a Virtual Network, including:
- Adding a subnet to the FinOps hub virtual network and deploying a managed Virtual Network Data Gateway (as described in this document)
- Deploying a self-hosted or personal data gateway onto a VM inside the FinOps hub network.
- Peering the FinOps hub virtual network to your network and using an existing self-hosted data gateway.
Microsoft