IP Restrictions in Logic Apps

Recently, I discovered a new tab for Logic Apps resources in the Azure portal, named Workflow Settings.  Workflow settings is a very generic name, but it’s good to know that it includes additional access control configuration, through inbound IP restrictions.  There are two types of restrictions possible: on the runtime and on the run history.  Let’s have a closer look!

IP1

Runtime restrictions

You can configure IP restrictions to your Logic Apps triggers:

  • Any IP: the default setting that does not provide any additional security
  • Only other Logic Apps: this should be the default setting for Logic Apps that are used as reusable components
  • Specific IP ranges: this should be configured for externally exposed Logic Apps, if possible

When trying to access the Logic App trigger from an unauthorized IP address, you get a 401 Unauthorized.

{
   "error": {
      "code": "AuthorizationFailed",
      "message": "The client IP address 'XXX.XXX.XXX.XXX' is not in the allowed caller IP address ranges specified in the workflow access control configuration."
   }
}

Run history restrictions

You can also restrict calls to the run history inputs and outputs.  When there are no IP addresses provided, there’s no restriction.  From the moment you provide IP ranges, it behaves as a whitelist of allowed addresses.

When trying to access the Logic App run details from an unauthorized IP address, you can still see the visual representation of the Logic App run.  However you’re not able to consult the further details.

IP2

Conclusion

Another small, but handy security improvement to Logic Apps.  It’s important to be aware of these capabilities and to apply them wisely.

Cheers!
Toon

Advertisements

One thought on “IP Restrictions in Logic Apps

  1. Pingback: Microsoft Integration Weekly Update: March 12, 2018 | Hooking Stuffs Together

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s