Root Cause (Why you see 403)
Even with Service Principal (Entra ID) and the Blob V2 connector, Power Automate runs outside your VNet (multi-tenant SaaS). It cannot reach a storage account with public access disabled / private endpoint only.
Important:
The 403 “Authentication error” is misleading, it’s actually a network-level block (PublicAccessNotAllowed), not an identity issue.
1. Is VNet Data Gateway the correct and recommended solution for this scenario?
Partially, but not for your case. It works only with supported connectors.
Generic HTTP / Blob scenarios are not supported directly. So, it won’t solve your current flow design.
2. Is there a simpler alternate solution that avoids creating 2 VNets?
No, VNet Data Gateway is deployed into a subnet of your existing VNet. No separate gateway VNet is required.
Cross-region VNets add unnecessary complexity and latency.
3. Can the HTTP with Microsoft Entra ID connector with on-premises data gateway reach a private Blob Storage endpoint?
Technically yes, but strongly discouraged. Requires installing gateway on an Azure VM
Adds:
unnecessary infra
maintenance overhead
single point of failure
This is an anti-pattern for cloud-native design
(The "HTTP with Microsoft Entra ID" connector (formerly known as the HTTP with Azure AD connector) does support the on-premises data gateway. By installing that gateway on an Azure VM hosted inside the same Virtual Network (or a peered one) as the Private Endpoint, the gateway can resolve the private IP and route the traffic.)
4. If Vnet data gateway is recommended or proper approach then can i create 2 vnets: 1(central india) and 2nd in south india.
Yes, you can place them in different regions (Central India / South India).
But:
Adds latency
Adds complexity
Requires peering
Best practice:
Keep them in same region if used
Simpler, Recommended Alternatives
Option A: Logic Apps (Standard)
Fastest, low/no code
Flow:
Power Automate → Logic App → Private Blob
- Logic App supports VNet integration
- Native Blob connector works with private endpoint
- Secure with Entra ID
Option B: Azure Function (Best balance)
Flow:
Power Automate → Azure Function → Private Blob
- Function runs inside VNet
- Uses Managed Identity for Blob access
- Fully serverless, scalable, secure
Why not Azure VM?
To make it work, you’d need:
Public exposure (App Gateway / proxy)
This introduces:
- security risk
- patching & maintenance
- unnecessary complexity
Serverless options already solve this better
Final Recommendation
Use Azure Function or Logic Apps Standard as a proxy
Why:
Keeps storage fully private
Avoids VNet Gateway complexity
No VM management
Clean, scalable architecture
✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
👍 Feel free to Like the post if you found it useful.
