One of the major limitations with multi-tenant logic app was its inability to integrate with private resources (that are behind a firewall and/or deny public connections). Integration service environment (ISE) was one solution to achieve this task. But there is certain limitations in using ISE and that's a different topic for discussion.
Let's see how to integrate single tenant logic app with private resources.
- Create a Single tenant logic app and workflow. I am using a HTTP trigger to start the workflow.
Add an action and search for SQL. We can see two connector options. Built-in and Azure.
Private connection is possible only using the built-in actions. If we use Azure action, we will have to whitelist the connector outbound IP ranges (public) in the destination system firewall.
At the moment, we have only one built-in action for SQL that is 'Execute SQL query'. More built-in actions are expected to be added in the future.
- To create a built-in SQL connection we can use connection string. We can obtain the connection string from SQL database and add the password to create the action. For this example, I use a select query to one of the tables in the SQL database. I will add a response action to complete the workflow design. Let's use the result of SQL action in the response using Dynamic content.
If the SQL server is currently not behind a firewall and 'Allow Azure services and resources to access this server' flag is set to Yes we can test the logic app and make sure it is working fine.
Let's use the HTTP URL that is generated when the workflow is saved in an API testing tool (like Postman) to trigger the logic app. I tested and got the response with the SQL query results.
If the SQL server is already behind a firewall and (or) if it denies public connections, workflow would not be able to connect at the moment. We need to create a private endpoint for the Azure SQL server that we need to connect from logic app workflow.
We get below error in workflow (without a private endpoint).
- Let's create a private endpoint in the SQL server.
Private endpoint enables connectivity between the consumers from the same VNet, regionally peered VNets, globally peered VNets and on premises using VPN or Express Route and services powered by Private Link.
Reference: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
Select the resource.
Next step, choose a virtual network and subnet for the private endpoint. We need to integrate the private endpoint with a private DNS zone.
- After the private endpoint is created, let's deny the public network access.
Test the logic app again. Now we are able to integrate a logic app with a private SQL server using private endpoint. Please let me know your questions or thoughts via comments below.