Now Reading: Azure Logic Apps workflows: restrict access by IP ranges.
-
01
Azure Logic Apps workflows: restrict access by IP ranges.
Azure Logic Apps is a great technology to use when integrating Dynamics 365 Business Central with external systems. It permits you to create complex integration workflows with a low-code approach (same technology that drives Power Automate) in an enterprise-ready and security-oriented way.
When you have for example an external application that need to interact with Dynamics 365 Business Central, you can use the HTTP connector and the Business Central connector (available in Logic Apps and Power Automate) to create an integration workflow between the two applications with ease:
When deploying Dynamics 365 Business Central to business entities like banks, public sectors or generally speaking to large companies with strict security requirements, one of the common requests that you can receive from the IT department is: can I restrict the access to my workflows to only some white-listed IP addresses?
And this is where Power Automate fails (I wrote a post about possible solutions with Power Automate here).
Azure Logic Apps instead has built-in support for restricting access to a workflow by white-listing IP addresses. This can be done via Azure API Management (importing a flow into an APIM instance and then setting an inbound policy) or directly from a specific Logic Apps workflow (more easy and useful when you don’t have a big number of workflows to manage).
The way to do that is a bit different between Azure Logic Apps Consumption and Azure Logic Apps Standard.
Azure Logic Apps Consumption
In an Azure Logic Apps Consumption workflow, you can restrict the access to a set of IP addresses by going to Settings, then Workflow settings and in the Access control configuration page set Trigger access option = Specific IP ranges. Then in the IP ranges for triggers box, insert the comma separated list of IP addresses to authorize:
Azure Logic Apps Standard
With Azure Logic Apps Standard, you can restrict access to a set of IP addresses by selecting your Azure Logic Apps instance, then click to Settings and then Networking. Go to the Inbound Traffic configuration section and select the Public network access option (defaulted to Enabled with no access restrictions):
In the Access Restrictions page, select Public Network access = Enabled from selected virtual networks and IP addresses and then in the Site access and rules section you can specify a set of IP addresses to enable or disable:
These features helps you on improving your workflow’s security.
Remember that Azure Logic Apps also supports the integration into a VNET, but that’s another story…
Original Post https://demiliani.com/2024/09/10/azure-logic-apps-workflows-restrict-access-by-ip-ranges/
