Hi Taranjeet Malik,
First let me start with 2 sentences about this configuration Private endpoint is for inbound communication and Network integration is a configuration for outbound communication from that let me respond your doubts one by one,
When Logic App is fronted by a Private Endpoint (Public Endpoint is completely disabled), which inbound subnet (target) is specified for the inbound communication in the Firewall rules - is it the subnet that hosts Private Endpoint for Logic App or the Subnet to which Logic App has VNet integration with? We're using a dedicated subnet for Private Endpoint that hosts Private Endpoint for multiple Azure services.
-> Once private endpoint is configured on service(Logic Apps/Storage Account) the inbound communication will be by the Virtual network that this Private endpoint(Network Interface resource) is placed. In this case for inbound communication to the logic apps the Vnet Integration it doesn't matter.
Similarly, what subnet (source) is specified for the outbound traffic?
-> The outbound traffic will be routed from the service (Logic Apps/Storage Account) to the virtual network (subnet) where is Vnet integration configured. In this case for outbound communication private endpoint of logic apps it doesn't matter.
If there's an NSG attached to the subnet, I'm assuming we need to allow this traffic through that NSG as well....if that's the case, what's the best way to manage the rules, as there's no such Service Tags (LogicApps, LogicAppsManagement, AzureConnectors) available and the list of IP address prefixes for each region may change over time?
->Yes, the way to control the traffic in Azure is the NSG and you can use service tag to permit the communication whereas inbound or outbound connection (https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview)
In our case, the VNet uses the custom DNS (AD DS integrated DNS) - is there a specific configuration needed to ensure name resolution for the solution?
-> A private dns resolution it's required for private endpoints. So if you have enable a private endpoint for your Storage account for example you will need to create a private dns zone to make the name resolution to this private ip of the private endpoint of the service. (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns)
Additional references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/service-endpoints-vs-private-endpoints/ba-p/3962134
- https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
Cheers,
Luis