Categorizing Azure Logic App IP Addresses in Shared and ISE environments

Published Jun 09 2020 08:37 AM 2,357 Views
Senior Member

Overview:

As we are aware security is the major constraint in cloud environment and we are being bit hesitant on how this is addressed and how could we control in accessing specific services or resources either in cloud or hybrid integration scenarios. So the first thing pop ups in our mind is restricting IP addresses on firewall for specific servers or ports for specific resources etc...

 

So, I just thought of throwing some light on how the Logic App IP addresses are categorized and used for various connectors. We can enlist only specific IP addresses required for specific resource and restrict access to others.

 

At the time of writing this article, Logic Apps can be deployed to both Shared or ISE (Integration Service Environment) which can be internal or external ISE. So, Shared environment has Azure multi-tenant IP addresses where in ISE will have your VNET subnet IP range and Shared environment IP's which is explained below.

 

Logic App IP's are broadly categorized as in screenshot below:

 

0 (6).png

 

IP's categorization in ISE:

When we talk about ISE , the ISE LogicApp will have both Shared and VNet subnet IP addresses which will be used based on what type of connector we use in LogicApp.

 

We have two different types of connectors available as below.

  • ISE version connectors : Connector can be identified with Symbol -CORE or ISE
  • Non-ISE version (Shared) connectors : Connectors doesn't have any symbol and it's same connectors as in Shared environment.

Let's see how we can further classify the respective IP addresses for specific connector types.

  • Access Endpoint IP's - In ISE , we have two types of access endpoints as below.
    • Internal ISE: In this case , the LogicApp endpoint and run history will be accessed only from resources within VNet. Ex: Virtual Machine hosted within ISE VNET can access LogicApp endpoint and run history
    • External ISE: LogicApp endpoint can be accessed from anywhere. If you are accessing from outside Virtual network enable Shared IP addresses on your server for outbound rule on firewall.
  • Runtime outgoing IP's-All ISE version built-In connectors use the subnet range IP addresses and Non-Version ISE connectors use Shared environment IP addresses for accessing resources. Need to enable defined IP addresses for inbound and outbound on your firewall. You can check built-in connectors in the document https://docs.microsoft.com/en-us/azure/connectors/apis-list#built-ins
  • Connector Outgoing IP's - All ISE version managed connectors uses ISE subnet IP addresses and Non-Version ISE connectors uses shared environment IP addresses for accessing resources which need to be enabled for inbound and outbound rules on firewall. You can refer document below for all managed connectors https://docs.microsoft.com/en-us/azure/connectors/apis-list#managed-api-connectors.  You would also see Azure Cloud Service IP addresses part of Connector Outgoing Ip's which will be used when you are connecting to Public endpoints using ISE version connectors.
%3CLINGO-SUB%20id%3D%22lingo-sub-1450816%22%20slang%3D%22en-US%22%3ECategorizing%20Azure%20Logic%20App%20IP%20Addresses%20in%20Shared%20and%20ISE%20environments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450816%22%20slang%3D%22en-US%22%3E%3CH3%20id%3D%22toc-hId-1172062336%22%20id%3D%22toc-hId-1172086603%22%3EOverview%3CSTRONG%3E%3A%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EAs%20we%20are%20aware%20security%20is%20the%20major%20constraint%20in%20cloud%20environment%20and%20we%20are%20being%20bit%20hesitant%20on%20how%20this%20is%20addressed%20and%20how%20could%20we%20control%20in%20accessing%20specific%20services%20or%20resources%20either%20in%20cloud%20or%20hybrid%20integration%20scenarios.%20So%20the%20first%20thing%20pop%20ups%20in%20our%20mind%20is%20restricting%20IP%20addresses%20on%20firewall%20for%20specific%20servers%20or%20ports%20for%20specific%20resources%20etc...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20I%20just%20thought%20of%20throwing%20some%20light%20on%20how%20the%20Logic%20App%20IP%20addresses%20are%20categorized%20and%20used%20for%20various%20connectors.%20We%20can%20enlist%20only%20specific%20IP%20addresses%20required%20for%20specific%20resource%20and%20restrict%20access%20to%20others.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20of%20now%2C%20the%20Logic%20App%20can%20be%20deployed%20to%20both%20Shared%20or%20ISE%20(Integration%20Service%20Environment)%20which%20can%20be%20internal%20or%20external%20ISE.%20So%2C%20Shared%20environment%20has%20Azure%20multi-tenant%20IP%20addresses%20where%20in%20ISE%20will%20have%20your%20VNET%20subnet%20IP%20range%20and%20Shared%20environment%20IP's%20which%20is%20explained%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELogic%20App%20IP's%20are%20broadly%20categorized%20as%20in%20screenshot%20below.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%220%20(6).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197539i90D0458F1A2887FE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%220%20(6).png%22%20alt%3D%220%20(6).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22slate-resizable-image-embed%20slate-image-embed__resize-full-width%22%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAccess%20Endpoint%20IP's%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20Trigger%20endpoints%20will%20be%20accessed%20if%20these%20IP's%20are%20enabled%20on%20firewall%20with%20outbound%20rules.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ERuntime%20outgoing%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EIP's%3C%2FSTRONG%3E-All%20built%20connectors%20use%20these%20IP%20addresses%20for%20accessing%20resources.%20We%20need%20to%20enable%20these%20IP%20addresses%20for%20inbound%20and%20outbound%20on%20your%20firewall.%20You%20can%20check%20built-in%20connectors%20in%20the%20document%20below.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23built-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23built-ins%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EConnector%20Outgoing%20IP's%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E-%20All%20managed%20connectors%20uses%20these%20IP%20addresses%20for%20accessing%20resources%20which%20need%20to%20be%20enabled%20with%20inbound%20and%20outbound%20rules%20on%20your%20server.%20You%20can%20refer%20document%20below%20for%20all%20managed%20connectors.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23managed-api-connectors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23managed-api-connectors%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId--635392127%22%20id%3D%22toc-hId--635367860%22%3EIn%20ISE%3A%3C%2FH3%3E%0A%3CP%3EWhen%20we%20talk%20about%20ISE%20%2C%20the%20ISE%20LogicApp%20will%20have%20both%20Shared%20and%20VNet%20subnet%20IP%20addresses%20which%20will%20be%20used%20based%20on%20what%20type%20of%20connector%20we%20use%20in%20LogicApp.%3C%2FP%3E%0A%3CP%3EWe%20have%20two%20different%20types%20of%20connectors%20available%20as%20below.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EISE%20version%20connectors%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3A%20Connector%20can%20be%20identified%20with%20Symbol%20-%3CSTRONG%3ECORE%20or%20ISE%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ENon-ISE%20version%20(Shared)%20connectors%20%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3EConnectors%20doesn't%20have%20any%20symbol%20and%20it's%20same%20connectors%20as%20in%20Shared%20environment.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ELet's%20see%20how%20we%20can%20further%20classify%20the%20respective%20IP%20addresses%20for%20specific%20connector%20types.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAccess%20Endpoint%20IP's%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20In%20ISE%20%2C%20we%20have%20two%20types%20of%20access%20endpoints%20as%20below.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EInternal%20ISE%3C%2FSTRONG%3E%3A%20In%20this%20case%20%2C%20the%20LogicApp%20endpoint%20and%20run%20history%20will%20be%20accessed%20only%20from%20resources%20within%20VNet.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEx%3A%3C%2FSTRONG%3EVirtual%20Machine%20hosted%20within%20ISE%20VNET%20can%20access%20LogicApp%20endpoint%20and%20run%20history.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExternal%20ISE%3C%2FSTRONG%3E%3A%20LogicApp%20endpoint%20can%20be%20accessed%20from%20anywhere.%20If%20you%20are%20accessing%20from%20outside%20Virtual%20network%20enable%20Shared%20IP%20addresses%20on%20your%20server%20for%20outbound%20rule%20on%20firewall.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ERuntime%20outgoing%20IP's%3C%2FSTRONG%3E-All%20ISE%20version%20built-In%20connectors%20use%20the%20subnet%20range%20IP%20addresses%20and%20Non-Version%20ISE%20connectors%20use%20Shared%20environment%20IP%20addresses%20for%20accessing%20resources.%20Need%20to%20enable%20defined%20IP%20addresses%20for%20inbound%20and%20outbound%20on%20your%20firewall.%20You%20can%20check%20built-in%20connectors%20in%20the%20document%20below.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23built-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23built-ins%3C%2FA%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EConnector%20Outgoing%20IP's%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E-%20All%20ISE%20version%20managed%20connectors%20uses%20ISE%20subnet%20IP%20addresses%20and%20Non-Version%20ISE%20connectors%20uses%20shared%20environment%20IP%20addresses%20for%20accessing%20resources%20which%20need%20to%20be%20enabled%20for%20inbound%20and%20outbound%20rules%20on%20firewall.%20You%20can%20refer%20document%20below%20for%20all%20managed%20connectors.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23managed-api-connectors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fapis-list%23managed-api-connectors%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1450816%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22introducingazurelogicapps_960.jpg%22%20style%3D%22width%3A%20960px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197537iD137882B37CCA14F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22introducingazurelogicapps_960.jpg%22%20alt%3D%22introducingazurelogicapps_960.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDeclassify%20LogicApp%20IP%20address%20categories%20with%20respect%20to%20Connectors.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Apr 22 2021 10:01 AM
Updated by: