Administrators of the On-premises data gateway, such as the security group mentioned in the On-premises data gateway planning section, are responsible for configuring the data sources that can be used with each gateway cluster. Additionally, gateway administrators have control over the users or security group(s) of users that can utilize a gateway data source. As shown in the following image from the Manage gateways portal in the Power BI service, credentials entered for data sources are encrypted:
The data source credentials are only decrypted once the query request reaches the on-premises gateway cluster within the corporate network. The gateway decrypts the credentials needed for query requests and, once the query has executed, it encrypts the results of these query requests prior to pushing this data to the Power BI service. The Power BI service never knows the on-premises credential values.
Technically, the following five-step process occurs to facilitate communication and data transfer between the Power BI service and the on-premises sources:
- The Power BI service initiates a scheduled refresh or a user interacts with a DirectQuery or a Live connection report.
In either event, a query request is created and analyzed by the data movement service in Power BI.
- The data movement service determines the appropriate Azure Service Bus communication channel for the given query.
A distinct service bus instance is configured per gateway.
- The On-premises data gateway polls its service bus channel and obtains the pending request.
- The gateway decrypts the credentials and then sends the query to the data source for execution.
- The results of the query (data) are returned to the gateway, encrypted, and then pushed to the Power BI service.
The critical component of the gateway's security is the recovery key that's created during the installation and configuration process. In the following image, a user account has signed into the the Power BI service and both a name for the gateway and a recovery key are required to configure the gateway:
The recovery key is used to generate strong RSA and AES encryption keys. As described earlier in this section, these encyrption keys never leave the gateway machine.
It's strongly recommended to store the gateway recovery key in a safe and secure location. This should be on a machine other than the gateway server itself as the recovery key can be used to migrate, restore, or take over an existing gateway, as described in the Troubleshooting and monitoring gateways section later in this chapter. Additionally, the recovery key is required when adding a gateway to a cluster to provide high availability and load balancing.