Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
netoptics
New Member

Power BI data gateway in AWS to return data source traffic to Power BI service using private link

‎12-10-2025 01:18 PM

First off, I am on a networking team tasked with getting Power BI traffic to avoid the Internet. I am not well versed in all things PowerBI but am learning quickly.

 

We have an on-prem data gateway running on an EC2 instance in AWS that connects to a Snowflake data source via privatelink and this connections works as expected. For security reasons, we are trying to have the data source traffic return from the data gateway in AWS, towards the Power BI service via private link, avoiding the open Internet entirely. We have the privatelink for PowerBI enabled in Azure, with the private DNS zones, and routing between the two clouds via site-to-site VPN tunnels. The problem we are having is getting the AWS on-prem data gateway to know how to send this return traffic to the Power BI service via the privatelink path.

 

Is this even possible?

Labels:
Message 1 of 3
326 Views
0
1 ACCEPTED SOLUTION
GeraldGEmerick
Memorable Member
Memorable Member

‎12-10-2025 01:41 PM

@netoptics So the short answer is no, not in the way you’re hoping, at least today. To the best of my knowledge, you can’t currently force an on-premises data gateway running in AWS to send its control/data plane traffic to the Power BI service over Azure Private Link instead of the public internet.

 

The on-prem data gateway is designed to be “outbound only.”

  • Establishes outbound HTTPS connections (TCP 443) to a set of public Power BI endpoints (e.g., *.analysis.windows.net, *.pbidedicated.windows.net, etc.).

  • Must be able to resolve those FQDNs to public IP addresses and reach them over the internet (possibly via proxy).

  • There is no supported option today for the gateway client to target an Azure Private Endpoint / Private Link IP for the Power BI SaaS service.

Azure Private Link for Power BI is currently oriented towards:

  • Clients inside Azure VNETs (e.g., Azure VMs, VNets where you deploy Private Endpoints),

  • So that those Azure resources reach Power BI over the Microsoft backbone instead of the internet.

The gateway, however, is a client running outside Azure (in AWS), and there is no config knob on the gateway that says: “Use this private IP / this private endpoint DNS zone when talking to Power BI.”

 

Even if you expose the Private Link endpoint via S2S VPN and tweak DNS, the gateway software:

  • Expects to reach Microsoft’s public endpoints with Microsoft-controlled certificates.

  • Is not documented/Supported to work with forced resolution of those names to your Private Endpoint IPs in another cloud.

So from a supportability standpoint: this scenario is not supported, and practically, it’s very brittle even if you “hack” DNS.

 

You can’t eliminate the public internet entirely, but you can constrain and harden it quite a lot. I see two main options:

1. Use an outbound proxy / firewall in AWS

  • Lock down the EC2 instance so the gateway can only:

    • Reach a tightly controlled HTTP(S) proxy or firewall,

    • Which in turn only allows egress to the documented Power BI FQDNs over 443.

  • Optionally enable TLS inspection / logging / advanced threat protection.

You’re still using the internet, but:

  • Only to specific Microsoft endpoints,

  • From a single egress point,

  • With full monitoring and control.

2. Consider moving the gateway into Azure (if feasible)

If you’re willing to change where the gateway runs:

  • Spin up an Azure VM in a VNet that uses Private Link to Power BI.

  • Connect AWS to that Azure VNet via VPN or ExpressRoute.

  • Put the gateway on that Azure VM and:

    • Have it reach Snowflake in AWS over the inter-cloud connection.

    • Have it reach Power BI service over Private Link inside Azure.

View solution in original post

Message 2 of 3
309 Views
2 REPLIES 2
GeraldGEmerick
Memorable Member
Memorable Member

‎12-10-2025 01:41 PM

@netoptics So the short answer is no, not in the way you’re hoping, at least today. To the best of my knowledge, you can’t currently force an on-premises data gateway running in AWS to send its control/data plane traffic to the Power BI service over Azure Private Link instead of the public internet.

 

The on-prem data gateway is designed to be “outbound only.”

  • Establishes outbound HTTPS connections (TCP 443) to a set of public Power BI endpoints (e.g., *.analysis.windows.net, *.pbidedicated.windows.net, etc.).

  • Must be able to resolve those FQDNs to public IP addresses and reach them over the internet (possibly via proxy).

  • There is no supported option today for the gateway client to target an Azure Private Endpoint / Private Link IP for the Power BI SaaS service.

Azure Private Link for Power BI is currently oriented towards:

  • Clients inside Azure VNETs (e.g., Azure VMs, VNets where you deploy Private Endpoints),

  • So that those Azure resources reach Power BI over the Microsoft backbone instead of the internet.

The gateway, however, is a client running outside Azure (in AWS), and there is no config knob on the gateway that says: “Use this private IP / this private endpoint DNS zone when talking to Power BI.”

 

Even if you expose the Private Link endpoint via S2S VPN and tweak DNS, the gateway software:

  • Expects to reach Microsoft’s public endpoints with Microsoft-controlled certificates.

  • Is not documented/Supported to work with forced resolution of those names to your Private Endpoint IPs in another cloud.

So from a supportability standpoint: this scenario is not supported, and practically, it’s very brittle even if you “hack” DNS.

 

You can’t eliminate the public internet entirely, but you can constrain and harden it quite a lot. I see two main options:

1. Use an outbound proxy / firewall in AWS

  • Lock down the EC2 instance so the gateway can only:

    • Reach a tightly controlled HTTP(S) proxy or firewall,

    • Which in turn only allows egress to the documented Power BI FQDNs over 443.

  • Optionally enable TLS inspection / logging / advanced threat protection.

You’re still using the internet, but:

  • Only to specific Microsoft endpoints,

  • From a single egress point,

  • With full monitoring and control.

2. Consider moving the gateway into Azure (if feasible)

If you’re willing to change where the gateway runs:

  • Spin up an Azure VM in a VNet that uses Private Link to Power BI.

  • Connect AWS to that Azure VNet via VPN or ExpressRoute.

  • Put the gateway on that Azure VM and:

    • Have it reach Snowflake in AWS over the inter-cloud connection.

    • Have it reach Power BI service over Private Link inside Azure.

Message 2 of 3
310 Views
netoptics
New Member
In response to GeraldGEmerick

‎12-11-2025 05:26 AM

Thank you so much for this very detailed response! This answers my question and even some additional thoughts swirling around in my head. 

Message 3 of 3
249 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All