Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
otravers
Community Champion
Community Champion

How to secure scheduled refreshes in Power BI service from data source in AWS VPC?

‎08-14-2020 04:06 PM

With a couple of my clients we're looking at further securing how Power BI connects to databases in Amazon RDS. As a starting point we don't want the source database to be exposed to the public Internet. I'm trying to figure out the architectural options, but while I have a modicum of Azure and cloud networking knowledge, I'm not an expert in these areas, and my clients know the Amazon side better than the Microsoft side. But as their Power BI guy they turn to me for advice, and I don't know what I don't know here. Here's what I've found so far, any guidance would be much appreciated.

 

Exhibit A - solution architecture proposed by Amazon, with on-premises data gateway in a private subnet

 

The following page has an interesting architecture - they even run Power BI desktop in a cloud VM - and it does keep the source database private (in this case Redshift but it could be RDS). But my concern is that data going from the data gateway to the Power BI service flows through the public internet:

https://aws.amazon.com/blogs/big-data/integrate-power-bi-with-amazon-redshift-for-insights-and-analy...

 

Exhibit B - site to site VPN between AWS and Azure

 

The following pages discuss how to set up a dual-cloud VPN, which sounds promising:

https://levelup.gitconnected.com/azure-to-aws-vpn-step-by-step-b8c853a62

https://infra.engineer/azure/52-site-to-site-vpn-between-aws-and-azure

 

My concern with this is, how can you "inform" the data gateway and Power BI service to use this network? As far as I know networking settings in the data gateway are fairly limited: HTTPS vs. TCP, and an optional proxy server. I know that the data gateway uses Azure Service Bus behind the scenes, but it's not exposed to us end users, is it?

 

I've read about Azure service endpoints and private endpoints, but while that could be used if the database was Azure SQL, this does not seem relevant to an AWS data source.

 

Would handling dataflow and dataset refreshes via the Power BI REST APIs, say in Azure Functions, give more control over the underlying networking?

 

Any tips and pointers are appreciated. I think my main question is whether there's a way to avoid routing traffic from the data gateway to the Power BI service via the public internet. I know it's encrypted, but it would be great if there was a way to avoid it. And of course we don't want to make the whole thing more complicated than it needs to be.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals
Labels:
Message 1 of 5
1,187 Views
0
1 ACCEPTED SOLUTION
otravers
Community Champion
Community Champion
In response to GilbertQ

‎08-17-2020 12:49 PM

After further research with help from @dataveld, there are two options:

 

1. Azure ExpressRoute - this was introduced in 2016 but weirdly the Power BI-specific integration documentation was (silently) retired a couple of years ago. You can still find it on Github, but that doesn't exactly inspire confidence.

 

2. Azure Private Link - this is already in GA for some Azure endspoints such as SQL and ADLS, but as of this writing the "public preview" announced for July 2020 in Power BI's roadmap translates to a header in the the Power BI admin settings followed by... nothing.

 

So it looks like Private Link will be the way to go once it's actually live for Power BI. In the meantime ExpressRoute is probably still an option, if poorly documented/supported.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals

View solution in original post

Message 5 of 5
1,037 Views
0
4 REPLIES 4
GilbertQ
Super User
Super User

‎08-16-2020 02:43 PM
Hi there

I currently have a large customer who has got a VPC with the Gateway server running within the VPC.

We connect to the Power BI Service via HTTPS, which we have seen is more than secure to transport the data to the PBI Service. The only time the dataset will be seen will be in the browser. The rest of the time the data is fully encrypted.

This also is an architecture where it is secure and simple.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 5
1,109 Views
otravers
Community Champion
Community Champion
In response to GilbertQ

‎08-16-2020 03:56 PM

@GilbertQ thanks for your input. Your setup is similar to Amazon's architecture. Unless I hear otherwise, for now I will assume that communication from the data gateway to the Power BI service has to go through the public internet (still encrypted, obviously).

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals
Message 3 of 5
1,104 Views
0
GilbertQ
Super User
Super User
In response to otravers

‎08-16-2020 04:10 PM
Yeah you are 100% correct and that is how all the gateways connect to the PBI Service.

And in the 5 years since PBI has been running I have not read or heard of any issues with it running this way.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 4 of 5
1,101 Views
0
otravers
Community Champion
Community Champion
In response to GilbertQ

‎08-17-2020 12:49 PM

After further research with help from @dataveld, there are two options:

 

1. Azure ExpressRoute - this was introduced in 2016 but weirdly the Power BI-specific integration documentation was (silently) retired a couple of years ago. You can still find it on Github, but that doesn't exactly inspire confidence.

 

2. Azure Private Link - this is already in GA for some Azure endspoints such as SQL and ADLS, but as of this writing the "public preview" announced for July 2020 in Power BI's roadmap translates to a header in the the Power BI admin settings followed by... nothing.

 

So it looks like Private Link will be the way to go once it's actually live for Power BI. In the meantime ExpressRoute is probably still an option, if poorly documented/supported.

------------------------------------------------
1. How to get your question answered quickly - good questions get good answers!
2. Learning how to fish > being spoon-fed without active thinking.
3. Please accept as a solution posts that resolve your questions.
------------------------------------------------
BI Blog: Datamarts | RLS/OLS | Dev Tools | Languages | Aggregations | XMLA/APIs | Field Parameters | Custom Visuals
Message 5 of 5
1,038 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All