Whitelisting and Logic Apps

As B2B services move from on-premises servers to Azure Logic App, a recurring question is how to do both inbound and outbound (by the partner) whitelisting with such PaaS approach.

On-premises this was easy because each enterprise obtained its own static IP, IPs or IP range. In Azure or any public cloud, the IPs are now owned by the cloud service provider (Microsoft). With IaaS you can still get a static IP assigned to your VM in the cloud. With PaaS, especially multi-tenant PaaS like Logic App, multiple servers behind the scene are servicing multiple tenants and themselves are nodes which may be scaled out or in, and swapped during update deployments. Then the question of "what's my IP?" is no longer trivial. Yet for Logic App actually this remains pretty easy thanks to the work from our engineering team.

To enable your partner whitelisting your IP on your outbound messages, you need to share with them the list of IP addresses for Logic App for the specific region(s) you are using (see link below). If your partner requires a single IP or if you want to invest in the added security to avoid that another user of Logic App in the same region could pass through that filter, you can further use Azure API Management to act as a reverse proxy for the Logic App.

To enable your own whitelisting of IP authorized to send messages to your Logic App, use the Access control configuration for either Azure management portal or in the definition.

I am linking together some existing information here to make it more discoverable.

Comments (6)
  1. RalJans says:

    Would be great if you can eleborate more on the reverse proxy for the Logic App since this will be required by enterprise customers.
    I think not that many will accept large numbers of ip ranges in their firewall whitelist.

    1. David Burg says:

      Thank you for your comment RaUans. See https://docs.microsoft.com/en-us/azure/api-management/api-management-faq#is-the-api-management-gateway-ip-address-constant-can-i-use-it-in-firewall-rules for pointer about using the APIM IP for whitelisting. The nature of APIM is to be a reverse proxy (a server that retrieves resources on behalf of a client from one or more servers) and “You can get your IP address (or addresses, in a multi-region deployment) on the tenant page in the Azure portal.”

  2. Keagan Soakell-Ho says:

    Hi David,

    Is it possible to get the static IP address for outbound traffic from the West US 2 region added?

    Also is there an alternative to using Azure API Management? The cost of >1000NZD/month is excessively high for our needs where we want to connect to an FTP server (that has a whitelist of IP addresses) once a day.

    1. David Burg says:

      Hi Keagan,

      You only need to use Azure API Management if you cannot use the list of IPs there provided and need a single IP dedicated to you.

      I am looking into getting new regions added to the IP address listing.

    2. David Burg says:

      The update of the whitelist is coming through GitHub: https://github.com/MicrosoftDocs/azure-docs/pull/2892

  3. David Burg says:

    This blog has been moved off the MSDN platform. Find further content and update at https://www.linkedin.com/today/author/daviburg

    Comments are locked as part of the blog migration, so please reach out to your customer support contact for assistance with Microsoft products and services.

Comments are closed.

Skip to main content