keeping your on-premise data up-to-date with the on-premise ... - power bi · -secured, and...
TRANSCRIPT
On-premises data
sources
One gateway for multiple cloud services and experiences
Files, SharePointSQL ServerSQL Server
Analysis Services
Other
data sources
Cloud services
PowerApps Microsoft FlowPower BI
Azure Service Bus
Application Gateway
Data source connection credentials can only be
decrypted by the gateway
Gateway Cloud Service
Data source connection credentials are encrypted
Azure Logic Apps
Azure Analysis Services
- Secured, and optimized communication channel to use with your
cloud services (Power BI, Azure Analysis Services, PowerApps,
Microsoft Flow, Azure Logic Apps)
- The gateway is not a general purpose/bi-directional VPN
- The gateway installs on any domain-joined machine
- Outbound traffic only
- You don’t have to install it on a DMZ, or open your firewall for inbound traffic
- The gateway enables data/API connectivity
- It’s orthogonal to how you consume Dashboards, Reports, Flows or Apps on top of these
connections
What is an On-premises Data Gateway?
- The Gateway uses an Azure Service Bus Relay to communicate
between on-premises data sources and cloud services
- Azure Service Bus infrastructure is provisioned and owned by the Gateway Cloud Service,
it is not an additional offering customers need to buy
- This enables a self-service, low-friction installation, configuration, and runtime of
gateways
- Unless the gateway is up and running, connections & requests
won’t pass through the gateway
- No caching of requests or data on the on-premises gateway or the communication
pipeline to the cloud
What is an On-premises Data Gateway?
On-premises Data Gateway management
- Centralized way to refresh on-
premises content
- Access control to data sources
- Users and admin management
and controls
Gateway
Cloud Service
DB
Data Movement
Service
Service bus
1. Gateway is installed & configured. During configuration, a
corresponding service bus instance is also configured.
2. Credentials entered for the data source in the cloud services are
encrypted then stored in the cloud. Only the gateway can decrypt
the credentials. Personal Gateway windows credentials is stored in
the Gateway only.
3. One of the supported cloud services kicks off a refresh or a live
query
4. Data Movement Service analyzes the query and pushes to
appropriate Service Bus communication channel
5. Gateway polls its Service Bus channel for pending requests. It takes
the pending request
6. Gateway gets the query, decrypts the credentials, sends query to
the data source for execution
7. After execution, gateway securely pushes the data to the cloud
service
1cred
cred
2
2
Scheduler
service3
4
5
6
7
Where is your
data?
• Cloud
• On-premises
How do you
connect?
• Import data
• Direct Query
How do you
refresh?
• Personal Gateway
• On-premises
Data Gateway
https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-onprem/
Coming soon: Impala, Snowflake, Spark, etc.
Roadmap: third party extensibility for connectors in Power BI Desktop and Gateway
Import (cached mode) Direct query or Live connection
Refresh frequency Scheduled - hourly or daily Real-time
Performance No noticeable delay since data is
already cached
Depends on how fast the data source is, as
queries are executed in real-time
Data storage in
Power BI
Since it is cached mode, data is stored
in the cloud
No data is stored in Power BI. Data is always
on-premises*
Data size Current limit of 1 GB (compressed) per
model; unlimited in Premium
The on-premises database is the limit; no
Power BI limitation
Security Can create row-level security on the
Power BI dataset (import only)
Re-use on-prem row level security (for Analysis
Services, additional SSO based on Kerberos)
Data sources All on-prem data sources supported
can be used in import mode
SQL, SSAS, Oracle, Teradata, SAP HANA,
Redshift, Spark, etc.
(more coming soon: SAP BW, etc.)
*Some data for visuals is cached for optimizing first-time load performance (refresh interval can be configured)
On-premises data sources SQL Server
Analysis Services
On-premises
Cloud
Power BI Service:For each query by a Power BI AAD user to on-premises SSAS servers, or supported SSO DirectQuery sources, it passes along UPN with query: e.g. “[email protected]”
Power BI
On-premises Data Gateway:Map UPN to a local user (if needed)Execute query on behalf of the original user.
https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-enterprise-manage-ssas/#usernames-with-analysis-services
https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-enterprise-manage-ssas/#map-user-names
User Account
firstName.lastName Alias corp.on-prem.contoso
On-premises data sources SQL Server
Analysis ServicesSQL Server
Analysis Services
SQL ServerAnalysis Services
SQL ServerAnalysis Services
On-premises
Cloud
On-premises Data Gateway with configurable Custom User Mapping:3. Find Active Directory to search (automatic, or configurable)4. Lookup e.g. ‘Email’ attribute of AD Person based on incoming UPN string
(“[email protected]”) from Power BI Service.If the AD Lookup fails, attempts to use the passed-along UPN as EffectiveUser to SSAS
5. If AD Lookup succeeds, retrieve ‘UserPrincipalName’ of that AD Person. 6. Pass ‘UserPrincipalName’ email as EffectiveUserName to SSAS:
e.g. “[email protected]”
Power BI Service:1. For each query by a Power BI AAD user to on-premises SSAS
servers, passes along UPN string: “[email protected]”
2. Note: any manual UPN user mappings defined in the Power BI data source configuration are still applied before sending the user name string to the on-premises data gateway.
Power BI
On-premises data sources
Power BI
On-premises
Cloud
On-premises Data Gateway with SSO:2. If AAD DirSync/Connect configured: UPN string maps to AD user account
Alternatively, autom. UPN mapping through AD lookup by gateway:• Find Active Directory to search (automatic, or configurable)• Lookup e.g. ‘Email’ attribute of AD Person based on incoming UPN string
(“[email protected]”) from Power BI Service.If the AD Lookup fails, attempts to use the passed-along UPN string
• If AD Lookup succeeds, retrieve ‘UserPrincipalName’ of that AD Person.
3. Gateway resolves on-premise user principal name, performs Kerberos protocol auth transition, and opens data connection as that Windows identity, e.g. “[email protected]”
Power BI Service:1. For each interactive query by a Power BI AAD user, and each per-user
dashboard tile update (background refresh) to on-premises DirectQuery sources configured for SSO, PBI Service passes along UPN string: “[email protected]”
AAD user Role Local AD domain SQL DB Data
permissions
[email protected] GW Admin
Dashboard owner
[email protected] RLS: all data
[email protected] Dashboard consumer [email protected] RLS: “Computer”
category only
[email protected] Dashboard was re-
shared, but this user
should not see visuals
- Connection is
denied at DB level
https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-onprem/#forcing-https-communication-with-azure-service-bus
With locked-down network proxies present, this still required to whitelist Azure Data Center IP address ranges for the HTTPS traffic: https://www.microsoft.com/download/details.aspx?id=41653
More info on proxies:https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-proxy/
Starting with February release: When switching to HTTPS-mode,
no network communication based on direct IP addresses anymore.
Instead all data traffic goes to FQDNs: *.servicebus.windows.net
https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-onprem-tshoot/#performance
SSO via Kerberos (private preview)
OAuth support for data mashup scenarios through Gateway (June)
High Availability (public preview in summer)
Automatic Load Balancing (Fall)
Additional data sources:
Impala (June)
SAP BW Direct Query with SSO Kerberos (preview in June/July)
Impala with SSO Kerberos (Fall)
Snowflake, Spark (Fall)
General third-party extensibility in gateway for data connectors Data Connector SDK: https://powerbi.microsoft.com/en-us/blog/data-connectors-developer-preview/
