This is the second part in the series about securing your Logic Apps. In the previous post, I’ve provided several ways to secure your Logic App at the Trigger Level. In this post, I’m going to show how to secure your App using API Management with Access Restriction Policies.
Open the Azure Portal and create a new service. Search for ‘API Management’ and click the
Enter a name for the service, select the Azure subscription and select the resource group. I’ve picked the same resource group which I have created in the
. Add an organization name, an email address and pick a pricing tier. After that, click
It takes some time to create the API Management service. After creation and activation, open it from the Azure Portal
Adding the API
I’m using the Logic App which is created in the previous post to import into the publishing portal. So, copy the callback URL from the settings page of the Logic App in the settings portal.
In the left menu of your API Management Service, click
APIs – Preview
A wizard is opened. Select the Logic App in here.
You can now browse for your Logic App. Cool!
button and select the Logic App that you want to import. Add an API URL suffix, I’ve named my ‘
’ and click
Note: If you are using the Logic App which is created in the previous post, don’t forget to remove the
tag from your Logic App code. This will cause an error when importing into the API Management Service.
And there it is!!
In this design surface, we now have a visual representation of the API, including the Logic App backend. The current context is set for all operations, so all policy changes will take place on a “global” level.
Select ‘Manual-invoke’ below the already selected ‘All Operations’
Instead of empty policies, this will display some default policies that are already in place by importing the Logic App.
Access Restriction Policies
To add authentication to this API we need to add some extra policies to the design surface.
Check HTTP Header
The first is the Check HTTP header policy. For this we are going to add an extra check to the header of the request.
Click the arrow next to Inbound Processing and click
On the right, click
Set your cursor inside the <inbound> tag and under
Access Restriction Policies
, click on
Check HTTP header
There is a code block added to the xml. Replace it with the following:
in the left menu, add an additional header to the header section, which is equivalent to the header code block which is added in the previous step, add the body text to the
part and click
If anything went well you will a similar response like displayed below:
Limit Call Rate Per Key
Next is the possibility to limit the call rate per key. This adds Throttling capabilities to your API.
To add this functionality to your API, open the
again (refer to the previous Access Restriction Policy), place the cursor in the <inbound> tag and click the
Limit Call Rate Per Key.
The boilerplate code is added to the xml.
The new preview API functionality I’ve used in this post works a lot better than the previous way of adding your policies!
Azure API Management adds a lot of functionality for authentication scenario’s. Most of the Access Restriction Policies are discussed in this post, except for the Validate JWT policy. I’m going to write about that one in a separate post, because it is basically too much to add to this post as well.
So, there is more to come in this series of posts…