Understanding the Power BI Gateway Architecture
The on-premises data gateway acts as a secure bridge between your on-premises data sources and Microsoft cloud services. Understanding its architecture is essential for proper deployment and troubleshooting.
When a Power BI user views a report linked to an on-premises data source, a specific sequence takes place:
- The Power BI service sends the data request to Azure Service Bus.
- The gateway monitors Azure Service Bus and retrieves the pending request.
- The gateway connects to the on-premises data source using stored credentials.
- The gateway executes the query against the data source.
- Results are sent back to the gateway, which compresses and encrypts them.
- The gateway sends the encrypted results through Azure Service Bus back to the Power BI service.
- Finally, Power BI renders the report with the returned data.
Critically, the gateway initiates all connections outbound. It does not require any inbound firewall rules, which simplifies security configuration significantly. The gateway communicates with Azure Service Bus over HTTPS (port 443) and optionally Azure Relay over TCP (ports 9350-9354).
Personal Gateway vs Enterprise Gateway
Microsoft offers two gateway modes, and choosing the wrong one is a common mistake that creates problems down the road.
| Feature | Personal Gateway | Enterprise (Standard) Gateway |
|---|---|---|
| Users supported | Single user only | Multiple users / organization-wide |
| DirectQuery / Live Connection | Not supported | Fully supported |
| Scheduled refresh | Supported | Supported |
| High availability cluster | Not supported | Supported (2+ nodes) |
| Administration | Single user manages | Multiple admins, centralized management |
| Services supported | Power BI only | Power BI, Power Apps, Power Automate, Logic Apps |
| Runs as | Windows application (user context) | Windows service (service account) |
| Recommended for | Developer testing only | All production environments |
The recommendation is straightforward: always use the enterprise (standard) gateway for any production or shared environment. The personal gateway should only be used for individual developer testing scenarios where the developer needs to test refresh behavior against a local data source.
Pre-Installation Planning
Proper planning before gateway installation prevents the most common deployment problems.
Server Specifications
While Microsoft's documented minimum requirements are 8 cores and 8 GB RAM, these minimums are insufficient for enterprise workloads. Based on our experience across hundreds of gateway deployments, here are realistic recommendations by workload tier.
| Workload Tier | CPU Cores | RAM | Storage | Typical Scenario |
|---|---|---|---|---|
| Light | 8 | 16 GB | 100 GB SSD | 10-20 datasets, <1M rows each, 8 daily refreshes |
| Medium | 16 | 32 GB | 200 GB SSD | 20-50 datasets, 1-10M rows, concurrent refreshes |
| Heavy | 16-32 | 64 GB | 500 GB SSD | 50+ datasets, 10M+ rows, DirectQuery + refresh |
Network Requirements
- Outbound HTTPS (443) — Required for communication with Azure Service Bus. Must be open to *.servicebus.windows.net and *.frontend.clouddatahub.net
- Outbound TCP (9350-9354) — Optional but recommended for Azure Relay. Falls back to HTTPS 443 if blocked
- No inbound rules required — The gateway only initiates outbound connections
- Proxy support — The gateway supports HTTPS proxy configuration if direct internet access is not available
- DNS resolution — The gateway server must resolve both internal data source hostnames and external Azure endpoints
- Low latency to data sources — Place the gateway server in the same datacenter and ideally the same network segment as your data sources
Service Account Configuration
The enterprise gateway runs as a Windows service under a service account. Use a dedicated Active Directory service account (not a personal user account) with the following characteristics: password set to never expire, granted "Log on as a service" rights, granted database access to all on-premises data sources the gateway will connect to, and not a member of Domain Admins (principle of least privilege). Document the service account credentials securely, as losing them can require gateway re-installation.
Step-by-Step Installation Guide
Step 1: Download and Run the Installer
To get started, download the on-premises data gateway installer from the official Microsoft download page. You can find it by searching for "on-premises data gateway" on microsoft.com/download.
Always use the latest version. Follow these steps to install:
- Run the installer on your dedicated gateway server with administrative privileges.
- Accept the default installation path or choose a custom path.
- Ensure the selected drive has enough free space.
Step 2: Register the Gateway
After installation, the gateway configuration wizard will launch. Sign in using the organizational account (Azure AD) that will manage the gateway. This account must have a Power BI Pro or Premium Per User license.
Select "Register a new gateway on this computer" for the first node. Then, provide a descriptive gateway name that follows your naming convention. For example, use "PROD-PBI-GW-01" for the first production gateway. Create a recovery key and store it securely. This key is essential if you need to recover or migrate the gateway. Remember, the recovery key cannot be retrieved if lost.
Step 3: Configure the Service Account
By default, the gateway service operates under the NT SERVICE\PBIEgwService virtual account. For enterprise environments, it is important to switch this to your dedicated Active Directory service account.
To make this change, follow these steps:
- Open the gateway configurator.
- Go to the Service Settings tab.
- Select "Change account."
- Enter the domain\username and password.
- Restart the gateway service.
Ensure that this service account has network access to all data sources and the "Log on as a service" permission on the gateway server.
Step 4: Add Data Source Connections
Data sources are set up in the Power BI service at app.powerbi.com, not on the gateway server. To configure them, follow these steps:
- Navigate to Settings and select Manage gateways.
- Choose your gateway and click Add data source.
- Set up each on-premises connection.
For every data source, you need to provide:
- The data source type (e.g., SQL Server, Analysis Services, Oracle).
- The server name and database.
- The authentication method (Windows, Basic, or OAuth2).
- The credentials (must be valid from the gateway server's perspective).
Make sure to test each connection before publishing any reports that rely on it.
Configuring Data Sources
SQL Server Configuration
SQL Server is the most common on-premises data source for Power BI. Key configuration considerations include using Windows authentication whenever possible (more secure than SQL authentication and integrates with Active Directory), ensuring the gateway service account has at minimum db_datareader access to the databases it needs to query, enabling TCP/IP protocol in SQL Server Configuration Manager if using remote connections, and verifying that SQL Server Browser service is running if using named instances.
For large datasets, consider creating dedicated database views or stored procedures that pre-aggregate data, reducing the volume transferred through the gateway and improving refresh performance.
Analysis Services Configuration
Connecting Power BI to on-premises SQL Server Analysis Services (SSAS) allows for a live connection (DirectQuery) to both tabular and multidimensional models. However, this setup requires some additional steps:
- The gateway service account must be a member of the Analysis Services server administrators role.
- You may need to configure user mapping in the gateway data source settings to link Power BI users to Windows accounts.
- For EffectiveUserName pass-through, which is essential for row-level security in SSAS models, add the gateway service account as an Analysis Services administrator.
- Enable the EffectiveUserName property in the gateway data source configuration.
Oracle Database Configuration
To connect to Oracle through the gateway, you need the Oracle Data Access Client (ODAC) on the gateway server. Make sure to install the 64-bit Oracle Client that matches your Oracle server version. You should also configure TNS names or use Easy Connect strings.
The gateway service account requires network access to the Oracle listener port, which is usually 1521. Before setting up the Power BI data source, test the connectivity from the gateway server using SQL*Plus or Oracle SQL Developer.
SAP HANA Configuration
SAP HANA needs the SAP HANA ODBC driver on the gateway server. You can download the driver from the SAP Support Portal (SAP Note 2271001). Make sure to use the 64-bit driver version.
Next, configure the ODBC data source with the following details:
- HANA server hostname
- Port (usually 3xx15, where xx is the instance number)
Finally, test the connectivity from the gateway server before setting it up in Power BI.
High Availability Cluster Setup
For production environments, a single gateway node is a single point of failure. A gateway cluster provides automatic failover and load balancing across multiple nodes.
Cluster Architecture
A gateway cluster consists of two or more gateway installations registered under the same gateway name. All members must run the same gateway version (auto-update keeps them synchronized). The cluster automatically distributes requests across available nodes using round-robin load balancing by default, and if a node goes offline, traffic automatically routes to remaining healthy nodes.
Adding Nodes to a Cluster
To install the gateway on the second and third servers, use the same installer. During registration, choose "Add to an existing gateway cluster" instead of "Register a new gateway."
Follow these steps:
- Select the existing gateway cluster from the dropdown.
- Enter the recovery key set during the creation of the first node.
- Configure the same service account on all cluster nodes.
After joining, verify that the cluster shows all nodes as "Online" on the Power BI service gateway management page.
Cluster Best Practices
- Minimum 2 nodes, recommended 3 — Two nodes provide basic failover; three nodes maintain full redundancy even when one node is being updated or maintained
- Same datacenter — All cluster nodes should be in the same datacenter as the data sources for consistent latency
- Staggered updates — Disable auto-update and update nodes one at a time during maintenance windows to maintain continuous availability
- Identical configuration — All nodes must have the same data source drivers, service account, and network access
- Monitoring — Implement alerts on gateway service status, CPU, memory, and network utilization for each node
Troubleshooting Common Gateway Issues
Gateway Shows Offline
When the gateway status shows "offline" in the Power BI service, follow these steps:
- Verify that the Windows service "On-premises data gateway service" is running on the gateway server (services.msc).
- Test outbound connectivity to *.servicebus.windows.net on port 443 from the gateway server.
- Check that no firewall, proxy, or network change has blocked outbound HTTPS traffic.
- Review the gateway logs at C:\Users\PBIEgwService\AppData\Local\Microsoft\On-premises data gateway\ for specific error messages.
- If using a proxy, verify the proxy configuration in the gateway's Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file.
Refresh Failures: Credential Errors
The most common refresh failure is "Unable to connect to data source: credentials invalid." This happens when the credentials in the Power BI service gateway do not match the on-premises data source.
Common reasons for this issue include:
- The service account password has expired (set passwords to never expire for service accounts).
- Database permissions have been revoked during a security audit.
- Windows authentication fails because the service account's Kerberos ticket has expired.
To resolve this, re-enter the credentials in the Power BI service gateway data source settings and test the connection.
Refresh Failures: Timeout Errors
Timeout errors occur when data source queries exceed the gateway's timeout threshold. The default timeout is 10 minutes. For large datasets, optimize the source query to return less data (use incremental refresh instead of full refresh), increase the gateway timeout by modifying the GatewayCore.dll.config file, schedule large refreshes during off-peak hours when the gateway and data source have more available resources, and consider pre-aggregating data in the source system using views or stored procedures.
Performance Degradation Over Time
If gateway performance degrades gradually, check for memory leaks by monitoring the gateway service's memory usage over time (it should not grow continuously), verify that the spooling directory has adequate free disk space (the gateway uses local disk for temporary data during refresh), ensure that concurrent refresh schedules are staggered rather than all firing at the same time, and update to the latest gateway version as Microsoft regularly ships performance improvements.
Performance Tuning for Enterprise Workloads
Query Folding Optimization
Query folding means that Power Query transformations are converted into native SQL and sent to the data source. This process reduces the load on the gateway server. When query folding works well, the data source handles most of the processing, and the gateway only transfers the final results.
To maximize query folding, consider the following:
- Avoid Power Query steps that break folding, such as adding custom columns with M functions before filtering.
- Do not merge queries from different data sources.
- Use SQL views or stored procedures for complex transformations.
- Monitor the SQL queries generated by checking the gateway logs or using SQL Profiler.
Refresh Schedule Optimization
Stagger refresh schedules to avoid overwhelming the gateway and data sources with concurrent requests. Map all datasets to a refresh schedule matrix showing which datasets refresh at which times, identify concurrent refresh conflicts and stagger them by at least 15 minutes, schedule the largest and most resource-intensive refreshes during off-peak hours, and use incremental refresh for large datasets so only new or changed data is transferred.
Network Performance
Gateway performance is directly impacted by network conditions. Ensure the gateway server has a minimum 1 Gbps network connection to data sources, position the gateway in the same datacenter as data sources to minimize round-trip latency, monitor network throughput during peak refresh periods to identify bottlenecks, and consider dedicated network paths for gateway traffic if shared network congestion is an issue.
Security Best Practices
- Least privilege service account — The gateway service account should only have the minimum permissions needed to access each data source. Never use a domain administrator account
- Encrypted credentials — All data source credentials stored in the Power BI service are encrypted using the gateway's public key. Never store credentials in configuration files
- Network segmentation — Place the gateway in a network segment that has controlled access to data sources but cannot be directly accessed from untrusted networks
- Regular patching — Keep the gateway server's Windows OS and all drivers patched on a monthly cycle
- Audit logging — Enable Windows Security audit logging on the gateway server to track service account logon events and data source access
- Gateway admin management — Restrict gateway admin roles to 2-3 people. Review gateway admin list quarterly
- Recovery key protection — Store the gateway recovery key in a secure vault (Azure Key Vault, CyberArk, or equivalent). Losing this key requires complete gateway re-installation
Gateway Monitoring and Alerting
Enterprise gateway deployments require proactive monitoring to prevent issues from impacting business users. Implement monitoring for gateway service status (alert if any cluster node goes offline), CPU and memory utilization (alert at 80% sustained utilization), disk space on spooling directory (alert below 20% free), refresh failure rates (alert if failures exceed baseline threshold), and refresh duration trends (alert if refresh times increase by more than 25% from baseline).
Power BI provides built-in gateway performance monitoring through the Power BI Admin Portal. For more comprehensive monitoring, integrate gateway logs with your SIEM or monitoring platform (Splunk, Azure Monitor, Prometheus) using log forwarding from the gateway server.
When to Engage Expert Help
Many organizations manage gateway installations effectively with internal IT staff. However, consider engaging Power BI consulting services when deploying gateways across multiple datacenters or regions, configuring complex data source connectivity (SAP, Oracle RAC, multi-forest AD), implementing high availability for business-critical real-time dashboards, troubleshooting persistent performance issues that internal teams cannot resolve, or designing gateway architecture for 50+ datasets with concurrent refresh requirements.
Frequently Asked Questions
What is the Power BI on-premises data gateway and when do I need it?
The on-premises data gateway is a bridge application that provides secure data transfer between on-premises data sources and Microsoft cloud services including Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. You need a gateway whenever Power BI needs to access data that is not in the cloud — specifically SQL Server databases on your network, Analysis Services (SSAS) tabular or multidimensional models, Oracle databases, SAP HANA, file shares, or any other on-premises data source. You do NOT need a gateway for cloud data sources like Azure SQL Database, Azure Synapse, SharePoint Online, or Dataverse.
What is the difference between personal and enterprise (standard) gateway?
The personal gateway (on-premises data gateway - personal mode) is designed for a single user and can only be used by the person who installed it. It supports scheduled refresh only — no live connections or DirectQuery. The enterprise gateway (on-premises data gateway - standard mode) supports multiple users, live connections, DirectQuery, scheduled refresh, and can be shared across the organization. Enterprise gateway also supports high availability clustering with multiple gateway nodes. For any production or enterprise environment, always use the standard (enterprise) gateway. The personal gateway is only appropriate for individual developer testing.
How do I set up a Power BI gateway cluster for high availability?
To create a high availability gateway cluster: install the standard gateway on two or more servers, then when installing additional gateway instances, select "Add to an existing gateway cluster" instead of "Register a new gateway." All cluster members must run the same gateway version and be registered under the same gateway name. The cluster automatically load-balances requests across available nodes and fails over if a node goes offline. Minimum requirements per node: 8 cores, 8 GB RAM, SSD storage, Windows Server 2019 or later. Best practice is 2-3 nodes in the same datacenter with a dedicated service account and static IP addresses.
Why is my Power BI gateway refresh failing and how do I troubleshoot it?
The most common gateway refresh failures and their solutions are: "The gateway is offline" — check that the gateway Windows service (On-premises data gateway service) is running and the server has internet access to Azure Service Bus endpoints. "Unable to connect to data source" — verify credentials in Power BI service gateway settings match the on-premises data source, check that the service account has database access, and test connectivity from the gateway server using SSMS or equivalent. "Timeout expired" — increase the gateway timeout in gateway configuration, optimize the data source query, or schedule refreshes during off-peak hours. "Memory errors" — the gateway server needs more RAM, or the dataset is too large for available memory. Gateway logs are located at C:\Users\PBIEgwService\AppData\Local\Microsoft\On-premises data gateway\*.log.
What are the hardware requirements for a Power BI enterprise gateway?
Microsoft's minimum requirements are modest (8 cores, 8 GB RAM), but enterprise deployments should exceed minimums significantly. Recommended specifications for production: 8-16 CPU cores (physical, not shared virtual cores), 16-32 GB RAM (more if running concurrent refreshes of large datasets), SSD storage with at least 100 GB free space for spooling, Windows Server 2019 or 2022, .NET Framework 4.8+, and a dedicated static IP address. The gateway should be on a dedicated server — do not install it on a domain controller, database server, or shared application server. Network latency to data sources is critical; the gateway should be in the same datacenter as your data sources, ideally on the same network segment.
Need Expert Gateway Configuration for Enterprise Power BI?
EPC Group has deployed and managed Power BI gateways for organizations with 50 to 500+ on-premises data sources. From initial architecture through high-availability clustering and ongoing monitoring, we ensure your gateway infrastructure supports reliable, performant data delivery to Power BI. Schedule a free consultation.
Schedule a Free ConsultationErrin O'Connor
CEO & Chief AI Architect at EPC Group
With 29 years of experience in Microsoft technologies and enterprise consulting, Errin has architected data gateway infrastructure for Fortune 500 companies, healthcare systems, and government agencies. He is a Microsoft Press bestselling author of four books covering Power BI, SharePoint, Azure, and large-scale enterprise migrations.