How to secure Azure Logic App http request endpoint

1
votes

Is there any way to secure an HTTP endpoint of an Azure Logic App ?

For example if I'm using my Logic App's HTTP request endpoint to be triggered as a webhook from a payment gateway, I'd want to restrict only certain static IP Addresses to access it and enable HTTPS.

I didn't find any firewall options like those present in Azure SQL for IP base restrictions.

3
azureazure-logic-apps
See also: Secure access and data in Azure Logic Apps docs.microsoft.com/en-us/azure/logic-apps/… and laurakokkarinen.com/… - Tony

3 Answers

1
votes

You can put the manual trigger endpoint behind Azure API Management, using its "Restrict caller IPs" policy should help you accomplish what you need.

1
votes

See https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

Restrict incoming IP addresses In addition to the Shared Access Signature, you may wish to restrict calling a logic app only from specific clients. For example, if you manage your endpoint through Azure API Management, you can restrict the logic app to only accept the request when the request comes from the API Management instance IP address.

This setting can be configured within the logic app settings:

In the Azure portal, open the logic app you want to add IP address restrictions Click the Access control configuration menu item under Settings Specify the list of IP address ranges to be accepted by the trigger

A valid IP range takes the format 192.168.1.1/255. If you want the logic app to only fire as a nested logic app, select the Only other logic apps option. This option writes an empty array to the resource, meaning only calls from the service itself (parent logic apps) fire successfully.

0
votes

I could be wrong but all App Services (Web Apps, Logic Apps, API Apps) are, by default, publically accessible and, by default, do not enable IP Filtering via Azure resource configuration (meaning, a setting on the Logic App). Options I can think of enabling this would be:

  1. If you have access to a Web.config, use an element to restrict traffic to only a specific set of address (see MSDN)
  2. Consider putting the Logic App behind an API Management resource and enforce a IP restriction policy (see Azure API Management Documentation); I'm guessing this may not apply for Logic Apps but including it anyway
  3. Scale to a Premium App Service Plan, deploy Logic App to an App Service Environment which gives you the ability to specify whether there is a Public IP (VIP) used for load balancing requests or internal load balancer (which would be used for cross-premise connectivity between your LAN and Azure); you can also deploy a virtual Web Application Firewall (WAF) which would allow you to place explicit IP filters as well

Not knowing your requirements, I'd lean more towards option 3 simply because there is documentation supporting that scenario (at least for Web, Mobile and API Apps -- Logic Apps are not mentioned). Otherwise, if you're not able to modify the web.config to include the filters and cannot put an API Management instance in front of the logic app, I'm not sure what other options you may have.

Hope this helps and if you find a solution, I'd be interested in learning it as well.