As we are aware security is the major constraint in cloud environment and we are being bit hesitant on how this is addressed and how could we control in accessing specific services or resources either in cloud or hybrid integration scenarios. So the first thing pop ups in our mind is restricting IP addresses on firewall for specific servers or ports for specific resources etc...
So, I just thought of throwing some light on how the Logic App IP addresses are categorized and used for various connectors. We can enlist only specific IP addresses required for specific resource and restrict access to others.
At the time of writing this article, Logic Apps can be deployed to both Shared or ISE (Integration Service Environment) which can be internal or external ISE. So, Shared environment has Azure multi-tenant IP addresses where in ISE will have your VNET subnet IP range and Shared environment IP's which is explained below.
Logic App IP's are broadly categorized as in screenshot below:
Access Endpoint IP's- Trigger endpoints will be accessed if these IP's are enabled on firewall with outbound rules.
When we talk about ISE , the ISE LogicApp will have both Shared and VNet subnet IP addresses which will be used based on what type of connector we use in LogicApp.
We have two different types of connectors available as below.
ISE version connectors: Connector can be identified with Symbol -CORE or ISE
Non-ISE version (Shared) connectors :Connectors doesn't have any symbol and it's same connectors as in Shared environment.
Let's see how we can further classify the respective IP addresses for specific connector types.
Access Endpoint IP's- In ISE , we have two types of access endpoints as below.
Internal ISE: In this case , the LogicApp endpoint and run history will be accessed only from resources within VNet. Ex: Virtual Machine hosted within ISE VNET can access LogicApp endpoint and run history
External ISE: LogicApp endpoint can be accessed from anywhere. If you are accessing from outside Virtual network enable Shared IP addresses on your server for outbound rule on firewall.
Runtime outgoing IP's-All ISE version built-In connectors use the subnet range IP addresses and Non-Version ISE connectors use Shared environment IP addresses for accessing resources. Need to enable defined IP addresses for inbound and outbound on your firewall. You can check built-in connectors in the document https://docs.microsoft.com/en-us/azure/connectors/apis-list#built-ins
Connector Outgoing IP's- All ISE version managed connectors uses ISE subnet IP addresses and Non-Version ISE connectors uses shared environment IP addresses for accessing resources which need to be enabled for inbound and outbound rules on firewall. You can refer document below for all managed connectorshttps://docs.microsoft.com/en-us/azure/connectors/apis-list#managed-api-connectors. You would also see Azure Cloud Service IP addresses part of Connector Outgoing Ip's which will be used when you are connecting to Public endpoints using ISE version connectors.