Where we left off: In Part 2 we set up the on-premises SQL Server with three entity tables, loaded sample data, and created a read-only gateway user. Now we build the secure bridge — the On-Premises Data Gateway — that lets Microsoft Fabric pipelines reach that SQL Server from the cloud.
What Is the On-Premises Data Gateway?
The On-Premises Data Gateway is a lightweight Windows service that acts as the secure relay between your Microsoft Fabric cloud environment and on-premises data sources like SQL Server. Think of it as a bridge: when your Fabric pipelines need to read or write data to an on-premises database, they send requests through this gateway, which executes the queries locally and streams the results back to the cloud.
The gateway is installed on the same machine where your SQL Server runs, or on any machine that has network access to your SQL Server. Once installed and configured, it registers itself with the Microsoft cloud services and becomes available as a connection option in your Fabric workspace and Power BI Service.
Key Characteristics of the Gateway
- Shared Service: The same gateway infrastructure used by Power BI Service. If you already use Power BI with on-premises data sources, you likely have this gateway installed.
- Two Modes: Personal mode (for individual testing) and Standard mode (for enterprise production). Always use Standard mode in production — personal gateways are restricted and unstable.
- Lightweight: Minimal resource footprint; typically consumes less than 500MB of RAM during normal operation.
- Outbound Only: The gateway initiates outbound HTTPS connections to Microsoft cloud services. No inbound ports need to be opened, making it firewall-friendly.
- Credential Storage: Credentials are encrypted at rest and never transmitted in plaintext; the gateway uses them only to execute queries locally.
Why you need this gateway: Microsoft Fabric is a cloud-native platform. Your SQL Server database is on-premises, behind your network. Without a local gateway, Fabric has no way to send queries to it. The gateway solves the "cloud cannot reach on-prem" problem by having a local agent that Fabric can trust to safely execute queries on your behalf.
Step-by-Step Installation
Download the On-Premises Data Gateway Installer
Navigate to Microsoft's official gateway download page. As of 2026, the current version is found at download.microsoft.com or via the Microsoft Power BI Admin Portal. Download the Windows installer (.msi file) for On-Premises Data Gateway — Standard Edition.
Verify System Requirements
Before installation, ensure your machine meets these minimum requirements: OS: Windows 10 or Windows Server 2012 R2+; .NET Framework: 4.7.2 or higher (the installer will prompt you to upgrade if needed); RAM: 8GB recommended, 4GB minimum; Disk Space: At least 2GB available; Network: Stable outbound HTTPS on port 443; SQL Server Browser: Service must be running.
Run the Installer and Sign In
Execute the .msi file and follow the installation wizard. During setup, you'll be prompted to sign in with your Microsoft 365 credentials — the same credentials you use for Fabric and Power BI. The gateway uses these credentials to register itself with the Microsoft cloud and establish a secure connection. Always select Standard mode, not Personal.
Name the Gateway and Set a Recovery Key
Give your gateway a meaningful name — for example TaxiBusiness-OnPrem-GW. The installer will also ask you to create and securely store a recovery key. This passphrase is used to recover or migrate the gateway. Store it in a secure password manager or encrypted document. If you lose it, you may need to reinstall the gateway entirely.
Verify Gateway Status
Once installation completes, a notification tray icon will appear. You should see a green status indicator with the message: "The gateway is online and ready to be used." You can also verify in Windows Services that the "On-premises data gateway" service is running.
# Gateway Installation Flow — Step by Step
1. Run installer.msi as Administrator
2. Accept license agreement
3. Choose installation path (default: C:\Program Files\On-premises data gateway)
4. Select "Standard" mode (NOT Personal)
5. Click "Sign in" — authenticate with Microsoft 365
6. Service begins registration with cloud
7. Name gateway: TaxiBusiness-OnPrem-GW
8. Set recovery key (store safely — do NOT lose this)
9. Wait for green "The gateway is online and ready" message# Store in encrypted format (DO NOT share or commit to version control)
Gateway Name: TaxiBusiness-OnPrem-GW
Recovery Key: [Your-Secure-Passphrase-Here — 64 characters minimum]
Stored Location: Company Password Manager / LastPass / Azure Key Vault
Last Updated: 2026-04-16
Registered By: DataEngineering@company.comCritical — Gateway Machine Must Be Always On: The gateway must run 24/7 on a machine that never sleeps or shuts down. If your SQL Server machine goes to sleep or the gateway service stops, every Fabric pipeline job that depends on this gateway will immediately fail with a gateway timeout error. For production environments, use a dedicated VM or cluster machine as the gateway host, configure it to never enter sleep mode, and monitor the gateway service with automated alerting.
Creating the Data Source Connection in Fabric
With the gateway installed and running, you now need to create a data source connection in Fabric that tells Fabric how to use this gateway to reach your SQL Server.
Navigate to Manage Connections and Gateways
In your Fabric workspace, open Settings (gear icon) → Manage Connections and Gateways. This is where all data source configurations are stored and managed.
Create a New SQL Server Data Source
- Click New → Data Source
- Select SQL Server as the data source type
- Fill in the connection fields as shown below
- Click Test Connection to verify
- Click Save
Gateway cluster name: TaxiBusiness-OnPrem-GW (select from dropdown)
Connection name: TaxiBusiness-OnPrem-Connection
Connection type: SQL Server
Server: localhost or sql-server-hostname.yourdomain.com
Database: CabBusinessDB (created in Part 2)
Authentication method: Basic
Username: fabric_gateway_user (read-only user from Part 2)
Password: <your-read-only-password>
Privacy level: OrganizationalPrivacy Level — Explained
The Privacy Level setting controls how Fabric handles query folding and data combining across sources:
- Public: No privacy restrictions. Fabric can combine data from multiple sources freely.
- Organizational: Internal to your organization. Fabric can combine it with other Organizational sources but not with Public sources. Use this for the cab business database.
- Private: Most restrictive. Fabric cannot combine this data with any other source. Reserved for highly sensitive PII or financial data only.
Troubleshooting failed test connections — check in this order:
(1) SQL Server Browser Service — ensure it's running in SQL Server Configuration Manager.
(2) TCP/IP Protocol — expand "Protocols for [SQLSERVER]" and verify TCP/IP is Enabled.
(3) Firewall — confirm Windows firewall allows outbound connections on port 1433.
(4) Gateway Service — confirm the service is running in Windows Services.
(5) Credentials — verify fabric_gateway_user has db_datareader on the database.
Verifying Gateway Connectivity from Fabric Pipelines
The ultimate test of gateway functionality is a successful pipeline run. When you create a Pipeline with a Copy Activity that sources from your SQL Server via the gateway, the gateway becomes the execution point for that query.
From Fabric Pipeline: Copy Activity Setup
In your Fabric Pipeline, when configuring a Copy Activity, set the Source to your SQL Server connection. A table browser dropdown will appear showing all tables in your database — this is the gateway doing the work, connecting to your SQL Server and enumerating the table list in real time. If this dropdown populates correctly, your gateway is fully operational.
When you run the pipeline, the Copy Activity sends the SQL query to the gateway, the gateway executes it on your SQL Server, and the results stream into your Fabric Lakehouse. If any step fails, the gateway logs will reveal the exact failure point.
On-Premises Data Gateway — Data Flow at Pipeline Runtime
Gateway Best Practices for Production
High Availability: Gateway Clustering
For production environments, never rely on a single gateway instance. Deploy a second (or third) gateway on a different machine and add it to the same cluster. This ensures that if one machine fails, your pipelines continue running on the other gateway instance without manual intervention.
To cluster gateways, install the gateway on a second machine with the same recovery key. During setup, choose "Add to an existing cluster" and provide the recovery key and the name of the primary gateway. Both gateways will be registered as part of the same cluster and will load-balance queries between them automatically.
Monitoring: Gateway Performance and Error Logs
The gateway writes detailed logs to a local file. Monitor this file to catch issues early:
- Log Location:
%localappdata%\Microsoft\On-premises data gateway\GatewayErrors.log - Rotation: Logs rotate weekly; old logs are archived automatically.
- Key Signals: Search for
timeout,authentication failed,connection refused, orquery execution error.
Set up automated log monitoring using Windows Event Viewer or a SIEM tool to alert your team when errors spike above a threshold.
Gateway Auto-Updates
Microsoft automatically updates the gateway service, typically with no downtime. However, after an update, always run a test pipeline to ensure compatibility. Document the gateway version and patch date for compliance and audit purposes.
Credential and Permission Management
The gateway account (fabric_gateway_user created in Part 2) must have the following SQL Server permissions on every database accessed via the gateway:
- db_datareader: Allows reading all tables and views — required.
- db_datawriter: Optional. Only if your pipelines write back to SQL Server.
- db_ddladmin: Never grant this. DDL (CREATE/ALTER/DROP) permissions should never be granted to the gateway account.
Audit these permissions regularly and remove access to databases that are no longer needed by your pipelines.
What Happens at Pipeline Runtime
Let's trace the full journey of a data ingestion request through the gateway — from pipeline trigger to data landing in the Lakehouse. This end-to-end understanding is critical for debugging and performance optimization.
- Pipeline Trigger: You manually trigger
pl_ingest_landingor it fires on a schedule. - Lookup Activity (Config Table): The first activity reads
config.landing_control_tblfrom the Development Warehouse. This is a Fabric-to-Fabric query — no gateway involved. It returns the list of enabled tables and their incremental fields. - ForEach Loop: For each enabled table in the Lookup result, the pipeline iterates and triggers a Copy Activity.
- Copy Activity — Dynamic SQL: The Copy Activity builds a dynamic SQL query from the config table metadata. For example:
SELECT * FROM dbo.DRIVERSENTITY WHERE LAST_MODIFIED_AT > '2026-04-15 14:30:00' - Query Sent to Gateway: The Copy Activity sends this SQL query to the gateway over HTTPS. The gateway receives it and recognizes the target data source based on the connection configuration.
- Gateway Executes on SQL Server: The gateway (running locally on your machine) executes the SQL query against your on-premises SQL Server using the
fabric_gateway_usercredentials over TCP/IP port 1433. - Results Stream Back: The query results — potentially millions of rows — stream back through the gateway to the Pipeline Copy Activity in the Fabric cloud.
- Data Lands in Lakehouse: The Copy Activity inserts the streamed data into the
cab_landing.DRIVERSENTITYDelta table in the Lakehouse. - Update Config Watermark: After the Copy Activity succeeds, a Stored Procedure activity calls
config.update_landing_config_watermark, updating thelast_pipeline_runtimetimestamp. This watermark ensures the next run only picks up new records.
If the gateway is offline or the SQL Server is unreachable, the Copy Activity will fail at step 5 with a timeout error. If credentials are wrong, it fails at step 6 with an authentication error. The gateway logs tell you exactly which step failed.
-- Full Load (load_type = 'full')
SELECT * FROM dbo.DRIVERSENTITY;
-- Incremental Load (load_type = 'incremental', incremental_field = 'LAST_MODIFIED_AT')
SELECT * FROM dbo.DRIVERSENTITY
WHERE LAST_MODIFIED_AT >= DATEADD(day, -30, CAST('2026-04-08 12:30:35' AS DATETIME));
-- The gateway receives this query via HTTPS, executes it locally,
-- and streams results back to the Fabric Copy ActivityFor data engineering & data architects: Mastering on-premises data gateway configuration is a real-world differentiator. In enterprise environments, most data ingestion happens from legacy on-prem systems. While tutorials often showcase cloud-to-cloud scenarios, the on-prem gateway pattern is what you'll encounter in the majority of actual enterprise projects. Being able to troubleshoot gateway timeouts, credential issues, and network connectivity problems demonstrates practical experience that pure theory cannot teach.
Summary: The Gateway Is the Bridge
The On-Premises Data Gateway is the critical infrastructure that enables Microsoft Fabric to reach your on-premises SQL Server. Without it, your cloud-native pipelines have no way to read from legacy systems. With it properly configured, you have a secure, scalable, monitored connection that can handle high-volume data movement — all without opening inbound firewall ports.
Key takeaways from this part:
- Install the gateway on a 24/7 machine that has network access to SQL Server.
- Always use Standard mode, not Personal mode, for production deployments.
- Create a data source connection in Fabric that points to your SQL Server through the gateway.
- Test the connection before building any pipelines against it.
- Deploy at least two gateways in a cluster for production high availability.
- Monitor gateway logs and document auto-update behavior.
- The gateway account must have
db_datareaderpermissions on all databases it accesses.
In Part 4, we'll build the Fabric foundation: workspaces, lakehouses, warehouses, and the config tables that control your entire pipeline orchestration. The gateway is the bridge — the config tables are the brain.
