← Return To Home

How to Expose and protect Logic App using Azure API Management (Part 2) – Restrict the access to the Logic App

Earlier on this blog, I explain step-by-step how you are able to expose a Logic App through Azure API Management. Today I will address how you will be able to protect your Logic App from improper access, i.e., if we are exposing the Logic App thru APIM we may want to enforce that all the communication to go through APIM and restrict access to the Logic App, for example avoiding direct call to the Logic App (without passing thru APIM)

How to restrict access to the Logic App?

Based on what you can find in Microsoft official documentation, when your logic app uses an HTTP request-based trigger such as the Request or Webhook trigger, exactly the one we need to use in order to be able to expose a Logic App in APIM, you can limit access so that only authorized clients can start your logic app.

You can secure access to this trigger type by using one or a combination of these strategies:

  • Generate shared access signatures
    • Every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint’s URL, which follows this format:
https://<request-endpoint-URI>sp=<permissions>sv=<SAS-version>sig=<signature>
  • Add Azure Active Directory, OAuth, or other security.
  • But also, by restricting incoming IP addresses

All of them are valid and all of them have advantages and disadvantages. The goal of this post is not to explain all of them or explaining the differences and how you can implement each one of them. Today I would like to address the last one: Restrict incoming IP addresses and describe step-by-step how you can use this capability to let only your API Management trigger the logic apps present in your subscription by specifying the incoming IP range settings in yours Logic Apps.

In fact, if you want to add more authorization protocols to your logic app, you should in did consider using Azure API Management, not only you can specify policies to control the access to your Logic App like:

  • Limit call rate per subscription, per key and/or by IPs;
  • Set usage quota by subscription and/or key;
  • Check the HTTP header;
  • Or Validate JWT;

It will also be able to expose a public or private endpoint for your logic app, which can then use Azure Active Directory, OAuth, certificate, or other security standards. Not to mention the fact that it will offer more additional features like a proper and live document you Logic App endpoint or additional monitoring capabilities.

Free download this blog as a PDF document for offline read.

How to restrict incoming IP addresses for a specific Logic App

Logic Apps allow you to limit access to the inputs and outputs in your logic app’s run history so that only requests from specific IP address ranges can view that data. For example, to block anyone from accessing inputs and outputs, you can specify:

  • an IP address range such as 192.168.1.73-192.168.1.100 (xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx).
  • or a Classless Inter-Domain Routing (CIDR) format like 192.168.1.73/32 (xxx.xxx.xxx.xxx/xx)

Only a person with administrator permissions can remove this restriction, which provides the possibility for “just-in-time” access to your logic app’s data. You can specify the IP ranges to restrict either by using the Azure portal or in an Azure Resource Manager template that you use for logic app deployment.

What is CIDR?

For does who are not familiar whit CIDR, which stands for Classless Inter-Domain Routing, is an IP addressing scheme that improves the allocation of IP addresses. It was introduced in 1993 by the Internet Engineering Task Force in order to replace the old system based on classes A, B, and C.

A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix and it encompasses several concepts:

  • It is based on the variable-length subnet masking (VLSM) technique, which allows the specification of arbitrary-length prefixes.
  • It introduced a new method of representation for IP addresses, now commonly known as CIDR notation, in which an address or routing prefix is written with a suffix indicating the number of bits of the prefix, such as 192.0.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.
  • A single IP address can be used to designate many unique IP addresses with CIDR.

And one huge advantage is that it will help reduce the size of routing tables and make more IP addresses available within organizations.

If you don’t know how to represent your desired CIDR notation, there are several tools (or normally called calculators) to convert IPv4 to CIDR like:

And these are simply two of them that I found in one simple research on search engines.

How to restrict incoming IP ranges for a Logic App to accept only APIM calls?

The first thing we need to know is the IP Address (or IP Address range) of our APIM. To do that we need to:

  • Access to your APIM on the Azure Portal (old Publisher Portal that is now built-in inside the Azure Portal;
  • And under the Overview option, on the top information you will find the IP Address specify on the “Virtual IP (VIP) addresses” property

01-azure-api-management-virtual-ip-address

  • The next step is to use one of the above tools to convert this IP Address in a CIDR notation, for example as you see in the bellow picture – assuming that we will limit access to only one IP;

02-IP-to-CIDR-Translation-tool

Now that we know the IP Address and is CIDR notation equivalent. We need to:

  • In the Azure portal, access to your Logic App.
  • On your Logic App’s menu, under Settings, select Workflow settings.

03-Logic-App-Workflow-Settings

  • Under Access control configuration > Allowed inbound IP addresses, select Specific IP ranges.

04-Logic-App-Workflow-Settings-allow-inbound-ip-addresses

  • Under IP ranges for triggers, specify the IP address ranges that the trigger accepts.
    • A valid IP range uses these formats: x.x.x.x/x or x.x.x.x-x.x.x.x
    • In our case, we will use the CIDR notation: 192.168.1.73/32

05-Logic-App-Workflow-Settings-IP-ranges-for-triggers

  • And then click Save.

Testing the restrictions

This is the easy part. If you want to validate and test if these configurations/restrictions are working properly you can easily do this by for example:

  • Open Postman tool from your machine and try to invoke directly the Logic App;
  • If everything works according, you should receive a 401 Unauthorized status with the following payload
{
   "error": {
          "code": "AuthorizationFailed",
          "message": "The client IP address '94.132.139.33' is not in the allowed caller IP address ranges specified in the workflow access control configuration."
   }
}

06-Logic-App-testing-sending-request-with-postman

Now, if we try from our APIM, we should get a 202 Accepted status.

07-Logic-App-testing-sending-request-from-APIM

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

One thought on “How to Expose and protect Logic App using Azure API Management (Part 2) – Restrict the access to the Logic App”

Comments are closed.