API Management Consumption Tier - Logic Apps

%3CLINGO-SUB%20id%3D%22lingo-sub-1150853%22%20slang%3D%22en-US%22%3EAPI%20Management%20Consumption%20Tier%20-%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150853%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20evaluating%20the%20API%20Management%20Consumption%20Tier%20plan%20to%20protect%20logic%20apps%20in%20a%20tenant.%26nbsp%3B%20It%20looked%20very%20promising%20until%20it%20comes%20to%20the%20point%20of%20protecting%20the%20logic%20apps%20themselves%20and%20setting%20the%20restriction%20IP%20Addresses%20so%20that%20they%20can%20only%20be%20called%20via%20the%20API%20Management%20proxy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Consumption%20Tier%20does%20not%20include%20the%20ability%20to%20set%20static%20IP%20Addresses%20for%20the%20API%20Management%20service%20so%20it%20is%20not%20clear%20how%20to%20protect%20the%20logic%20app%20without%20adding%20actions%20to%20it.%26nbsp%3B%20Yes%2C%20we%20could%20add%20actions%20to%26nbsp%3Bdo%20a%20header%20check%20to%20each%20logic%20app%2C%20but%20I%20had%20hoped%20to%20avoid%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20the%20published%20list%20of%20IP%20Address%20ranges%20for%20the%20API%20Management%20service%20in%20the%20given%20region%20does%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20include%20the%20client%20IP%20Address%20reported%20by%20the%20logic%20app.%26nbsp%3B%20It%20was%20a%20generic%20%22Azure%20cloud%22%20IP%20address%20for%20that%20region.%26nbsp%3B%20If%20we%20need%20to%20restrict%20based%20on%20that%20list%2C%20then%20the%20API%20Management%20service%20does%20us%20no%20good%20it%20just%20makes%20configuring%20the%20logic%20app%20harder.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20something%20else%20I'm%20missing%2C%20or%20is%20it%20not%20possible%20to%20use%20the%20Consumption%20tier%20to%20protect%20Logic%20Apps%20without%20adding%20some%20kind%20of%20check%20actions%20to%20the%20logic%20app%20itself%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMary%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1150853%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158731%22%20slang%3D%22en-US%22%3ERe%3A%20API%20Management%20Consumption%20Tier%20-%20Logic%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158731%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20for%20anyone%20else%20researching%20this%20question%2C%20the%20%22Consumption%20Tier%22%20is%20a%20little%20bit%20%22too%20good%20to%20be%20true%22.%26nbsp%3B%20The%20IP%20Address%26nbsp%3B%3CEM%3Ewill%3C%2FEM%3E%20change%20(I%20have%20verified%20that).%26nbsp%3B%20So%20there%20is%20no%20good%20way%20to%20protect%20the%20logic%20app%20via%20IP%20Address%20restriction%20to%20just%20the%20API%20Management%20instance%20without%20using%20at%20least%20the%20Developer%20tier.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EMary%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hey all,

 

I am evaluating the API Management Consumption Tier plan to protect logic apps in a tenant.  It looked very promising until it comes to the point of protecting the logic apps themselves and setting the restriction IP Addresses so that they can only be called via the API Management proxy.

 

The Consumption Tier does not include the ability to set static IP Addresses for the API Management service so it is not clear how to protect the logic app without adding actions to it.  Yes, we could add actions to do a header check to each logic app, but I had hoped to avoid that.

 

Note that the published list of IP Address ranges for the API Management service in the given region does not include the client IP Address reported by the logic app.  It was a generic "Azure cloud" IP address for that region.  If we need to restrict based on that list, then the API Management service does us no good it just makes configuring the logic app harder.

 

Is there something else I'm missing, or is it not possible to use the Consumption tier to protect Logic Apps without adding some kind of check actions to the logic app itself?

 

Thanks,

Mary

1 Reply

So for anyone else researching this question, the "Consumption Tier" is a little bit "too good to be true".  The IP Address will change (I have verified that).  So there is no good way to protect the logic app via IP Address restriction to just the API Management instance without using at least the Developer tier.  

 

Cheers,

Mary