How VNet Injection Works

How VNet Injection Works

Behind the scenes, Power Platform uses Azure subnet delegation and workload injection:

  • At runtime, supported workloads run inside containerized instances.
  • These containers are injected into a delegated subnet and assigned a private IP.
  • All outbound calls follow your VNet’s security policies, DNS configuration, and routing.

This ensures that traffic to databases, APIs, and private services stays fully inside the enterprise network boundary.

Scenarios and Workloads That Benefit Most

Power Platform VNet support is designed for API-style, short‑lived, high-concurrency outbound requests. This includes:

  • Dataverse plug-ins
  • Custom connectors
  • SQL Server (Private Endpoint)
  • Azure Key Vault
  • Azure Storage (Blob/File/Queue)
  • Synapse dedicated SQL pools
  • Preauthorized HTTP with Entra ID
  • Snowflake, Databricks, AI Search connectors

Some workloads—especially those requiring Windows authentication or non‑Microsoft drivers—may still require a data gateway.

Sizing the Delegated Subnet

Because containers scale dynamically, subnet sizing must accommodate concurrency:

  • Production environments typically need 25–30 IPs
  • Non-production requires 6–10 IPs
  • Each subnet reserves 5 IPs automatically
  • Multi-environment policies must account for cumulative IP demand

Over‑provisioning is highly recommended, as changing ranges post‑delegation requires support intervention.

Leave a Reply

Your email address will not be published. Required fields are marked *