Restrict your Logic App to be accessed only by API Management

On a client project with a particular focus on security, I faced the concept of “securing your Logic Apps with API Management.” While wrapping any services within API Management is often the right design choice for service distribution, management, and onboarding of services, it’s important to remember that a Logic App with HTTP trigger is still publicly available to anyone that holds the URL (with SAS Token). And you have limited governance with regards to who is calling your service.

For this scenario I wanted to make sure that only API management is authorized to call the Logic App endpoint.

So if we have the most straightforward Logic App ever, it may look like this, with a simple HTTP trigger.

And now, if I wrap the Logic App endpoint in API Management and provide an Ocp-Apim-Subscription-Key, I get 202 Accepted.

Everything is good, and indeed API Management around the Logic App endpoint is a security improvement because you can now distribute the Logic App via APIM. And so, clients will not have the Logic App URL at hand.

The challenge may still be that anyone with the Logic App endpoint(including SAS Token) can bypass the design and directly call the Logic App. Here from Postman, where I get 202 Accepted when calling Logic App endpoint.

To ensure that API Management is the only client with access to your Logic App endpoint, you may use IP Filter on Logic App Workflow settings.

To do so, you need to go to your API Management service and copy its Virtual IP. (please note that you cannot use the consumption tier of API management to achieve this)

Now in the Logic App within Workflow settings, select Specific IP ranges. Then paste the IP range into IP Range for triggers.

(I learned that the Logic App IP format accepts a CIDR range, and you can use this site to convert your API Management Virtual IP to this format: https://ipaddressguide.com/cidr. Read a full description here https://www.serverless360.com/blog/how-to-expose-and-protect-logic-app-using-azure-apim-part-2)

That’s it. When calling my Logic App now directly from my Postman client, I get 401 Unauthorized.

My API management service is still authorized and gets 202 Accepted.

Leave a Reply

Your email address will not be published. Required fields are marked *