About This Architecture

Power Platform VNet injection across Azure paired regions (Australia East and Australia Southeast) with delegated subnets, private endpoints, and Managed Identity authentication. Traffic flows from Power Platform environments through enterprise policy subnet injection into spoke VNets, with Function Apps integrating outbound via delegated subnets and backend services (Storage, Key Vault, Function Apps) accessed exclusively through private endpoints in non-delegated subnets. Microsoft Entra ID provides service principal and client certificate authentication, while Private DNS Zones must be linked to both VNets to resolve privatelink endpoints correctly. This architecture demonstrates zero-trust network segmentation, least-privilege access, and disaster recovery readiness across paired Azure regions. Fork and customize this diagram on Diagrams.so to adapt subnet ranges, add hub-and-spoke connectivity, or document your own multi-region Power Platform deployments.

People also ask

How do you configure Power Platform VNet injection with private endpoints across Azure paired regions?

This diagram shows Power Platform VNet injection deployed across Australia East and Australia Southeast spoke VNets, each with delegated subnets for enterprise policy injection, Function App outbound integration, and non-delegated subnets hosting private endpoints for Storage, Key Vault, and Function Apps. Microsoft Entra ID authenticates via service principal and client certificate, while Private