Architecture of Azure VNet support for Power Platform
Did you know Azure VNet support for Power Platform? This new feature was released in 2024 and uses Azure subnet delegation to integrate Power Platform with your Azure Virtual Network without exposing it on the public internet. Of course, the network connection is limited to the specific users in the Power Platform environment. Virtual Network support overview virtual network support whitepaper In this blog, I'll share some architectures and tips about how to connect privately to On-premises or Azure from Power Platform. Additionally, subnet delegation supports Dataverse, however I'll only focus on connectors for Automate or Apps in this blog as those are the most frequent scenarios. What is the benefit of using subnet delegation? Once we enable this feature, we can connect to Azure virtual networks via private IP addresses. Before this feature was released, on-premises data gateway was the alternative way connecting to on-premises or Azure internally. However, there are some concerns detailed below when using on-premises data gateway. There are limitations such as payload size or request size. Link Users must configure and manage the cluster of multiple servers of on-premises data gateway. We are limited to SQL and custom connectors connecting to Azure. Subnet delegation supports SQL, Custom, Azure Queues, Key Vault, BLOB Storage. etc. Link Entra ID authentication is not supported. When we create a new connection of custom connector with on-premises data gateway, the user must have administrator privilege. Link "The gateway must be shared with the Admin permission level to be used by custom connectors." Below is the difference of architecture between subnet delegation and on-premises data gateway. On-premises data gateway Subnet delegation How to set up Virtual Network support for Power Platform Please reference this document. Set up Virtual Network support for Power Platform There are some requirements listed below. Managed Environment. At least two /24 address spaces. Supported regions (Link) If your Power Platform region is the United States, your Virtual Network and subnets must be in the eastus and westus Azure regions. Sample architectures These are sample architectures utilizing subnet delegation. From Azure VNet to Internet Connect to Internet via Azure NAT Gateway This is region redundant. There is no traffic log. Source IP addresses are static. Connect to Internet via Azure Firewall in a region This is not region redundant. Azure Firewall controls network traffic. We can view traffic logs on Azure Firewall. Source IP address is static. Connect to Internet via Azure Firewall in each region This is region redundant. Azure Firewall controls network traffic. We can view traffic logs on Azure Firewall. Source IP addresses are static. From Azure VNet to On-premises This is not region redundant. Azure Firewall is optional. From Azure VNet to Azure resources Set up all private endpoints in each region This is region redundant. There is no traffic log. You are required to divide the resource group and Private DNS Zones because its resource name will be same. Set up all private endpoints in a region and use VNet peering This is not region redundant. There is no traffic log. You must be careful to not utilize overlapping or duplicate address space. Uses service endpoint This is region redundant. There is no traffic log. For Azure SQL Database, virtual networks must be in the same region as the Azure SQL Database so for our example, this architecture is not supported. (Link) Please check and confirm your desired architecture is supported prior to beginning deployment. Hub & Spoke with Azure Firewall This is not region redundant. Azure Firewall controls network traffic. We can view traffic logs on Azure Firewall. Name resolution Subnet delegation supports custom DNS on Azure Virtual Networks so we can use any of the below DNS options. Azure provided DNS (168.63.129.16). This is default setting. Azure private DNS zones. DNS Server on Azure or on-premises. Forwarder is optional. If you would like to use custom DNS on Azure Virtual Network, please reference this document. Change DNS servers of a virtual network using the Azure portal Network traffic control Subnet delegation supports to use NSG or Azure Firewall (NVA) to control outbound traffic from the subnets. Network traffic log Azure services using subnet delegation such as AppService don't support NSG flow log. Incompatible services "App services deployed under an Azure App Service plan don't support NSG flow logs. To learn more, see How virtual network integration works." Private endpoint is also not supported by NSG and VNet flow logs. Private endpoint traffic "Traffic can't be recorded at the private endpoint itself. " That's why I recommend you use Azure Firewall if traffic logs from the virtual network are required. How to minimize the number of IP addresses Some Azure environments are connected to on-premises and sometimes the number of IPv4 Addresses are not enough in them but Azure VNet support requires at least two /24 address spaces. For such users, I recommend that you use Azure Firewall with SNAT. You can mask the private IP address for subnet delegation, so you don't need to worry about the number of IP addresses. In this scenario, you need to disable 'Use Remote Gateway' on the VNet peering to not advertise the address spaces. Azure Firewall SNAT private IP address ranges Virtual network peeringIntroducing Copilot in Azure for Networking: Your AI-Powered Azure Networking Assistant
As cloud networking grows in complexity, managing and operating these services efficiently can be tedious and time consuming. That’s where Copilot in Azure for Networking steps in, a generative AI tool that simplifies every aspect of network management, making it easier for network administrators to stay on top of their Azure infrastructure. With Copilot, network professionals can design, deploy, and troubleshoot Azure Networking services using a streamlined, AI-powered approach. A Comprehensive Networking Assistant for Azure We’ve designed Copilot to really feel like an intuitive assistant you can talk to just like a colleague. Copilot understands networking-related questions in simple terms and responds with actionable solutions, drawing from Microsoft’s expansive networking knowledge base and the specifics of your unique Azure environment. Think of Copilot as an all-encompassing AI-Powered Azure Networking Assistant. It acts as: Your Cloud Networking Specialist by quickly answering questions about Azure networking services, providing product guidance, and configuration suggestions. Your Cloud Network Architect by helping you select the right network services, architectures, and patterns to connect, secure, and scale your workloads in Azure. Your Cloud Network Engineer by helping you diagnose and troubleshoot network connectivity issues with step-by-step guidance. One of the most powerful features of Copilot in Azure is its ability to automatically diagnose common networking issues. Misconfigurations, connectivity failures, or degraded performance? Copilot can help with step-by-step guidance to resolve these issues quickly with minimal input and assistance from the user, simply ask questions like ”Why can’t my VM connect to the internet?”. As seen above, upon the user identifying the source and destination, Copilot can automatically discover the connectivity path and analyze the state and status of all the network elements in the path to pinpoint issues such as blocked ports, unhealthy network devices, or misconfigured Network Security Groups (NSGs). Technical Deep Dive: Contextualized Responses with Real-Time Insights When users ask a question on the Azure Portal, it gets sent to the Orchestrator. This step is crucial to generating a deep semantic understanding of the user’s question, reasoning over all Azure resources, and then determining that the question requires Network-specific capabilities to be answered. Copilot then collects contextual information based on what the user is looking at and what they have access to before dispatching the question to the relevant domain-specific plugins. Those plugins then use their service-specific capabilities to answer the user’s question. Copilot may even combine information from multiple plugins to provide responses to complex questions. In the case of questions relevant to Azure Networking services, Copilot uses real-time data from sources like diagnostic APIs, user logs, Azure metrics, Azure Resource Graph etc. all while maintaining complete privacy and security and only accessing what the user can access as defined in Azure Role based Access Control (RBAC) to help generate data-driven insights that help keep your network operating smoothly and securely. This information is then used by Copilot to help answer the user’s question via a variety of techniques including but not limited to Retrieval-Augmented Generation (RAG) and grounding. To learn more about how Copilot works, including our Responsible AI commitments, see Copilot in Azure Technical Deep Dive | Microsoft Community Hub. Summary: Key Benefits, Capabilities and Sample Prompts Copilot boosts efficiency by automating routine tasks and offering targeted answers, which saves network administrators time while troubleshooting, configuring and architecting their environments. Copilot also helps organizations reduce costs by minimizing manual work and catching errors while empowering customers to resolve networking issues on their own with AI-powered insights backed by Azure expertise. Copilot is equipped with powerful skills to assist users with network product information and selection, resource inventory and topology, and troubleshooting. For product information, Copilot can answer questions about Azure Networking products by leveraging published documentation, helping users with questions like “What type of Firewall is best suited for my environment?”. It offers tailored guidance for selecting and planning network architectures, including specific services like Azure Load Balancer and Azure Firewall. This guidance also extends to resilience-related questions like “What more can I do to ensure my app gateway is resilient?” involving services such as Azure Application Gateway and Azure Traffic Manager, among others. When it comes to inventory and topology, Copilot can help with questions like “What is the data path between my VM and the internet?” by mapping network resources, visualizing topologies, and tracking traffic paths, providing users with clear topology maps and connectivity graphs. For troubleshooting questions like “Why can’t I connect to my VM from on prem?”, Copilot analyzes both the control plane and data plane, offering diagnostics at the network and individual service levels. By using on-behalf-of RBAC, Copilot maintains secure, authorized access, ensuring users interact only with resources permitted by their access level. Looking Forward: Future Enhancements This is only the first step we are taking toward bringing interactive, generative-AI powered capabilities to Azure Networking services and as it evolves over time, future releases will introduce advanced capabilities. We also acknowledge that today Copilot in preview works better with certain Azure Networking services, and we will continue to onboard more services to the capabilities we are launching today. Some of the more advanced capabilities we are working on include predictive troubleshooting where Copilot will anticipate potential issues before they impact network performance. Network optimization capabilities that suggest ways to optimize your network for better performance, resilience and reliability alongside enhanced security capabilities providing insights into network security and compliance, helping organizations meet regulatory requirements starting with the integration of Security Copilot attack investigation capabilities for Azure Firewall. Conclusion Copilot in Azure for Networking is intended to enhance the overall Azure experience and help network administrators easily manage their Azure Networking services. By combining AI-driven insights with user-friendly interfaces, it empowers networking professionals and users to plan, deploy, and operate their Azure Network. These capabilities are now in preview, see Azure networking capabilities using Microsoft Copilot in Azure (preview) | Microsoft Learn to learn more and get started.
Former Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?
Azure Private DNS Resolver - Need Help
Hi All, we are planning to implement Azure DNS resolver to replace DNS forwarder ? have few question before on this . 1. does Azure Private DNS resolver works with SD-WAN / VWAN model network ? 2. does it requires to create a Azure DNS Zone for the private resolver ? we require Azure DNS Private resolver for forwarding purpose only and our current DNS forwarder VM on Bind DNS looks like below - By default all the Vent's DNS IP should be pointing to DNS Forwarders VM Bind Server for dns resolution. 2.DNS Forwarder in the region will forward the traffic to dns server based on the query to the domain controllers. There are specific rules for each Domain controller.we need similar kind of behavior from Azure private DNS resolver. will this work by using the DNS Private resolver ?appreciate for help in this issueSecure, High-Performance Networking for Data-Intensive Kubernetes Workloads
In today’s data-driven world, AI and high-performance computing (HPC) workloads demand a robust, scalable, and secure networking infrastructure. As organizations rely on Kubernetes to manage these complex workloads, the need for advanced network performance becomes paramount. In this blog series, we explore how Azure CNI powered by Cilium, built on eBPF technology, is transforming Kubernetes networking. From high throughput and low latency to enhanced security and real-time observability, discover how these cutting-edge advancements are paving the way for secure, high-performance AI workloads. Ready to optimize your Kubernetes clusters?
