Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

Reply
pennyhoho117
Helper IV
Helper IV

when a request send to on-premises data gateway, how the gateway send back the result to Power BI

‎02-11-2025 11:35 PM

Checked from Power BI Document, when user refresh data from Power BI service/Refresh Schedule, a request would be send from Power BI cloud through Azure Relay to the premises data gateway, what is the use of Azure Relay?

after Data gateway received a request, it would decrypt the data source credentials, and send query to data source then return the result to Power BI Cloud, so how and when the result being encrpted? and the gateway send back the resuilt to Azure Relay, then to power BI cloud? i need detail information for the data processing flow, including encryption and decrption,  starting entry to destination

Labels:
Message 1 of 11
695 Views
1 ACCEPTED SOLUTION
Poojara_D12
Super User
Super User

‎02-24-2025 08:47 PM

Hi @pennyhoho117 

When a user triggers a data refresh in Power BI Service, either manually or through a scheduled refresh, the request is sent from Power BI Cloud to the On-Premises Data Gateway using Azure Relay. Azure Relay acts as a secure bridge, allowing Power BI to communicate with on-premises data sources without requiring inbound firewall rules. The On-Premises Data Gateway, which maintains an outbound-only connection to Azure Relay, listens for incoming requests and retrieves the necessary data from the on-premises database. Once the gateway receives the request, it decrypts the stored credentials using Windows Data Protection API (DPAPI) and authenticates with the data source. After executing the query and retrieving the results, the gateway encrypts the data using TLS (Transport Layer Security) 1.2 or higher before transmitting it back to Power BI Service via Azure Relay. The encrypted data is securely sent to Power BI Cloud, where it is decrypted upon arrival and stored in the VertiPaq engine if using Import Mode, or temporarily cached for DirectQuery Mode. This process ensures end-to-end security, preventing unauthorized access while enabling seamless communication between Power BI and on-premises data sources.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS

View solution in original post

Message 10 of 11
482 Views
0
10 REPLIES 10
v-nmadadi-msft
Community Support
Community Support

‎02-28-2025 08:20 PM

Hi @pennyhoho117 ,

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution provided by the community members for the issue worked. If our response addressed, please mark it as Accept as solution and click Yes if you found it helpful.

 

Thanks and regards

Message 11 of 11
445 Views
0
Poojara_D12
Super User
Super User

‎02-24-2025 08:47 PM

Hi @pennyhoho117 

When a user triggers a data refresh in Power BI Service, either manually or through a scheduled refresh, the request is sent from Power BI Cloud to the On-Premises Data Gateway using Azure Relay. Azure Relay acts as a secure bridge, allowing Power BI to communicate with on-premises data sources without requiring inbound firewall rules. The On-Premises Data Gateway, which maintains an outbound-only connection to Azure Relay, listens for incoming requests and retrieves the necessary data from the on-premises database. Once the gateway receives the request, it decrypts the stored credentials using Windows Data Protection API (DPAPI) and authenticates with the data source. After executing the query and retrieving the results, the gateway encrypts the data using TLS (Transport Layer Security) 1.2 or higher before transmitting it back to Power BI Service via Azure Relay. The encrypted data is securely sent to Power BI Cloud, where it is decrypted upon arrival and stored in the VertiPaq engine if using Import Mode, or temporarily cached for DirectQuery Mode. This process ensures end-to-end security, preventing unauthorized access while enabling seamless communication between Power BI and on-premises data sources.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 10 of 11
483 Views
0
v-nmadadi-msft
Community Support
Community Support

‎02-24-2025 08:17 PM

Hi @pennyhoho117,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 9 of 11
483 Views
0
v-nmadadi-msft
Community Support
Community Support

‎02-12-2025 04:00 AM

Hi @pennyhoho117  ,
Thanks for reaching out to the Microsoft fabric community forum.

The Azure Relay service enables you to securely expose services that run in your corporate network to the public cloud. You can do so without opening a port on your firewall, or making intrusive changes to your corporate network infrastructure.
For more information on Azure Relay kindly refer these documents:
What is Azure Relay? - Azure Relay | Microsoft Learn


All data requested and transmitted by Power BI is encrypted in transit using HTTPS (except when the data source chosen by the customer doesn't support HTTPS) to connect from the data source to the Power BI service. A secure connection is established with the data provider, and only once that connection is established will data traverse the network.

vnmadadimsft_0-1739361265053.png

 

 

vnmadadimsft_1-1739361265056.png

 

Reference for the image: Power BI security white paper - Power BI | Microsoft Learn


If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS.
Thanks and Regards

Message 5 of 11
628 Views
0
pennyhoho117
Helper IV
Helper IV
In response to v-nmadadi-msft

‎02-12-2025 11:01 PM

seems still not answer the question of:Data gateway would encrypt the result?

Meanwhile, i know the result would being compressed before encryption, so data gateway would compress and encrypt the enquiry result? if not, tell me how and when and where the result being compress and encrypt

Message 6 of 11
609 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to pennyhoho117

‎02-17-2025 02:11 AM

Hi  @pennyhoho117 ,

The results are sent back to the cloud through Azure relay.
On-premises data gateway FAQ | Microsoft Learn
Both the gateway and Power BI service are implemented to only accept TLS 1.2 traffic.
So data coming from on-prem data sources are securely sent to the power BI service.
Only the Data source credentials are encrypted and decrypted at the gateway cloud services and at gateway as per On prem data gateway architecture article: On-premises data gateway architecture | Microsoft Learn

The actual data requested and transmitted by Power BI is encrypted in transit using HTTPS (except when the data source chosen by the customer doesn't support HTTPS) to connect from the data source to the Power BI service. A secure connection is established with the data provider, and only once that connection is established will data traverse the network.

 


If you find this post helpful, please mark it as an "Accept as Solution" and consider giving a KUDOS.
Thanks and Regards

Message 7 of 11
586 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to v-nmadadi-msft

‎02-21-2025 09:01 AM

Hi @pennyhoho117 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 8 of 11
514 Views
0
pennyhoho117
Helper IV
Helper IV

‎02-12-2025 02:23 AM

can you please also provide the document/link for reference.

Message 4 of 11
639 Views
0
pennyhoho117
Helper IV
Helper IV

‎02-12-2025 02:22 AM

so after queries from Data Source, Data gateway would encrypt the result? if not, who would encrypt the result?

Message 3 of 11
639 Views
0
shafiz_p
Super User
Super User

‎02-12-2025 01:04 AM

Hi @pennyhoho117 

See the following explanation of the data processing flow for Power BI when using an on-premises data gateway:

 

Request Initiation:

When a user refreshes data from the Power BI service or sets a refresh schedule, a request is sent from the Power BI cloud service to the on-premises data gateway through Azure Relay.

 

Role of Azure Relay:

Azure Relay acts as a secure communication channel between the Power BI cloud service and the on-premises data gateway. It ensures that the requests and responses can traverse network boundaries securely without requiring direct exposure of the on-premises network to the internet.

 

Receiving the Request:

The on-premises data gateway receives the request from Azure Relay. The request includes the query and encrypted credentials for the data source.

 

Decryption and Query Execution:

The gateway decrypts the data source credentials using the encryption keys stored securely on the gateway machine. It then connects to the specified data source (e.g., SQL Server, SharePoint) and executes the query.

 

Data Encryption:

The results from the data source are encrypted before being sent back. This encryption ensures that the data remains secure during transit back to the Power BI cloud service.

 

Sending Results Back:

The encrypted results are sent back to the Power BI cloud service through Azure Relay. Azure Relay facilitates the secure transmission of these results back to the cloud.

 

Final Decryption and Usage:

Once the Power BI cloud service receives the encrypted results, it decrypts them using the appropriate keys. The decrypted data is then used to update the reports and dashboards in Power BI.

 

 

Hope this answered your question!!

If, please accept it as a solution!!

 

Best Regards,
Shahariar Hafiz

Message 2 of 11
659 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All