Logic Apps and VNET access without ISE ?

JackK1870 · ‎Jul 25 2020

Hello,

So the Azure Integrated Service Environment (ISE) is an awesome thing, but not cheap.

With the ultimate goal of using Logic Apps to fetch (and push) data from on-prem data sources via ExpressRoute, is there some way (a workaround - perhaps with Function Apps or an APIM?) that doesn't require ISE to do this?

I'd rather not fall back to using Data Gateways or a Relay...

Regards,

J. Kahl,

mfessalifi · ‎Jul 25 2020

Hi Kahl,
You can configured a On Premise data gateway on an Azure VM, using this gateway as trigger in a logic app works. And by this way the connection between Azure VM and your on premise source go through Express Route.

Regards,
Faiçal

JackK1870 · ‎Jul 26 2020

Hi Faiçal,

Thanks for the reply.

I am trying to avoid using on-prem data gateways however (as well as hybrid connections and relays) - is there another way around this?

There's no problem with Function Apps, Service Bus and APIM as you just need a premium plan / tier (which isn't cheap but isn't 'too' expensive) but add Logic Apps to the equation and you need ISE - and there goes your budget!

J. Kahl

mfessalifi · ‎Aug 09 2020

Hello @kahl,
Here on Architecture and Security prospective, I need clarification to try helping you:

Are you OK to transit data through Internet (with TLS sure)?
Are you using Express Route or VPN to connect on-premise and Azure Resources?
Is your need is Data movement (from On Premise to Azure) or Data Transformation and Ingestion (ETL/ELT)?

Regards,
Faiçal (MCT, Expert on Azure & Team Leader)

David Pazdera · ‎Aug 12 2020

Hi @JackK1870 ,

One of my customers is also trying to avoid using ISE but still being able to contact a service hosted on-premises.

My suggestion (not tested) was to try:

have Azure Function step in the workflow
provision the Function App with Regional VNet integration option (only some App Service Plans support it though)
utilize the existing cross-premises connectivity (Hub & Spoke network design with Express Route) to call that service from the function
store credentials required to call that on-prem service using Key Vault and reference the secret in App Settings

This might work, but it depends on your network setup.

pioardi · ‎Sep 10 2020

Hi @JackK1870 ,

if you are looking for a cheap solution you could configure the firewall of the services that your logic app uses with the flag :

- Allow traffic from azure data center or allow trusted microsoft services to access...

or for other services don't have this option you could put the logic apps outgoing ip addresses as allowed into the firewall ( those ip address ranges are publicly available , are static enough even if some ranges could be added in future ) .

Those two options will come with some security considerations and depending on your security requirements could enable you to connect logic app to other azure services that are not totally public exposed.

For example the second option could be used with function apps that have vnet integration and you can reach out your on-prem data source using a function app in the middle .

Logic app -> Function app ( configure access restrictions and vnet ingration ) -> on prem

Or you can just use a function app instead of your logic app to reduce costs, even if is not suitable like logic apps to build workflows :)

Available for further discussion

Logic Apps and VNET access without ISE ?

Logic Apps and VNET access without ISE ?

Re: Logic Apps and VNET access without ISE ?

Re: Logic Apps and VNET access without ISE ?

Re: Logic Apps and VNET access without ISE ?

Re: Logic Apps and VNET access without ISE ?

Re: Logic Apps and VNET access without ISE ?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Logic Apps and VNET access without ISE ?