Whitelisting and Logic Apps

As B2B services move from on-premises servers to Azure Logic App, a recurring question is how to do both inbound and outbound (by the partner) whitelisting with such PaaS approach.

On-premises this was easy because each enterprise obtained its own static IP, IPs or IP range. In Azure or any public cloud, the IPs are now owned by the cloud service provider (Microsoft). With IaaS you can still get a static IP assigned to your VM in the cloud. With PaaS, especially multi-tenant PaaS like Logic App, multiple servers behind the scene are servicing multiple tenants and themselves are nodes which may be scaled out or in, and swapped during update deployments. Then the question of "what's my IP?" is no longer trivial. Yet for Logic App actually this remains pretty easy thanks to the work from our engineering team.

To enable your partner whitelisting your IP on your outbound messages, you need to share with them the list of IP addresses for Logic App for the specific region(s) you are using (see link below). If your partner requires a single IP or if you want to invest in the added security to avoid that another user of Logic App in the same region could pass through that filter, you can further use Azure API Management to act as a reverse proxy for the Logic App.

To enable your own whitelisting of IP authorized to send messages to your Logic App, use the Access control configuration for either Azure management portal or in the definition.

I am linking together some existing information here to make it more discoverable.

• List of IP addresses for Logic App or for Connector, per region
• Static IP for multiple Logic Apps - MSDN

Comments

• Anonymous
  May 28, 2017
  The comment has been removed
  • Anonymous
    July 24, 2017
    The comment has been removed
• Anonymous
  August 10, 2017
  The comment has been removed
  • Anonymous
    August 25, 2017
    Hi Keagan,You only need to use Azure API Management if you cannot use the list of IPs there provided and need a single IP dedicated to you.I am looking into getting new regions added to the IP address listing.
  • Anonymous
    August 27, 2017
    The comment has been removed
• Anonymous
  June 20, 2019
  This blog has been moved off the MSDN platform. Find further content and update at https://www.linkedin.com/today/author/daviburgComments are locked as part of the blog migration, so please reach out to your customer support contact for assistance with Microsoft products and services.