Logic Apps and VNET access without ISE ?

Question

Hello,&nbsp;So the Azure Integrated Service Environment (ISE) is an awesome thing, but not cheap.&nbsp;With the ultimate goal of using Logic Apps to fetch (and push) data from on-prem data sources via ExpressRoute, is there some way (a workaround - perhaps with Function Apps or an APIM?) that&nbsp;doesn't require ISE&nbsp;to do this?&nbsp;&nbsp;I'd rather not fall back to using Data Gateways or a Relay...&nbsp;Regards,&nbsp;J. Kahl,

mfessalifi · Answer

Hi Kahl,You can configured a On Premise data gateway on an Azure VM, using this gateway as trigger in a logic app works. And by this way the connection between Azure VM and your on premise source go through Express Route.Regards,Faiçal

jackk1870 · Answer

Hi Faiçal,Thanks for the reply.I am trying to avoid using on-prem data gateways however (as well as hybrid connections and relays) - is there another way around this?There's no problem with Function Apps, Service Bus and APIM as you just need a premium plan / tier (which isn't cheap but isn't 'too' expensive) but add Logic Apps to the equation and you need ISE - and there goes your budget!J. Kahl

mfessalifi · Answer

Hello @kahl,Here on Architecture and Security prospective, I need clarification to try helping you:Are you OK to transit data through Internet (with TLS sure)?Are you using Express Route or VPN to connect on-premise and Azure Resources?Is your need is Data movement (from On Premise to Azure) or Data Transformation and Ingestion (ETL/ELT)?Regards,Faiçal (MCT, Expert on Azure &amp; Team Leader)

pazdedav · Answer

Hi&nbsp;JackK1870&nbsp;,&nbsp;One of my customers is also trying to avoid using ISE but still being able to contact a service hosted on-premises.My suggestion (not tested) was to try:have Azure Function step in the workflowprovision the Function App with Regional VNet integration option (only some App Service Plans support it though)utilize the existing cross-premises connectivity (Hub &amp; Spoke network design with Express Route) to call that service from the functionstore credentials required to call that on-prem service using Key Vault and reference the secret in App Settings&nbsp;This might work, but it depends on your network setup.

pioardi · Answer

Hi&nbsp;JackK1870&nbsp;,if you are looking for a cheap solution you could configure the firewall of the services that your logic app uses with the flag :&nbsp;&nbsp;- Allow traffic from azure data center or allow trusted microsoft services to access...&nbsp;or for other services don't have this option you could put the logic apps outgoing ip addresses as allowed into the firewall ( those ip address ranges are publicly available , are static enough even if some ranges could be added in future ) .&nbsp;Those two options will come with some security considerations and depending on your security requirements could enable you to connect logic app to other azure services&nbsp; that are not totally public exposed.&nbsp;For example the second option could be used with function apps that have vnet integration and you can reach out your on-prem data source using a function app in the middle .&nbsp;Logic app -&gt; Function app ( configure access restrictions and vnet ingration ) -&gt;&nbsp; on prem&nbsp;&nbsp;Or you can just use a function app instead of your logic app to reduce costs, even if is not suitable like logic apps to build workflows 🙂&nbsp;Available for further discussion&nbsp;

Forum Discussion

Logic Apps and VNET access without ISE ?

5 Replies

Resources