Previously
In one of my previous blogs I talked about Consumption VS Standard Logic Apps, in which I also mentioned one difference based on integration capabilities and security such as the use of an Azure Virtual Network (VNET) and a Private Endpoint for Standard based Logic Apps. Using such a configuration allows for for your Logic Apps to be shielded from public access, if configured correctly.
This can greatly improve the security of your Logic Apps, especially if they are used as APIs inside your organisation. It is possible to apply this directly at creation, or afterwards if you already have the required existing resources in place and just need to connect them. Let's see how this can be configured!
VNET Integration during creation
As stated it is possible to configure your VNET integration when creating the Logic App via the Azure portal. Go into the portal and start the Azure Logic App creation process. Make sure your Plan type is Standard. Since the Windows Plans/ App service plans are random genarated names, it is best to click on the Create new option and add some proper naming for it. If all is set, continue to the Hosting tab.
The same goes for the Hosting tab since it will contain an autogenarated name for the Azure storage account which is created due to the Standard based Logic Apps using the Azure Function runtime, which needs a Storage account to run. If configured continue to the Networking tab, where all the magic happens!
Within the Networking tab, you can configure everything you might need for the VNET integration. As you often use VNETs to create a private network instead of Public, it is a good practise to disable the public access. Since we want to use networking we would need to turn on the network injection option.
\
\
If enabled you will be asked to select a existing VNET or create a new if non are present. After filling in the parameter for the VNET you can create an Private Endpoint for your Logic App with its correlated subnet for your inbound access. Also for this Subnet you might select an existing one or create a new one just like the VNET itself.
The outbound access is similar to the inbound access but doen't require an Private Endpoint, but can use its own Subnet to route to. Since the Standard based Logic Apps use a Storage Account, we can directly create and link the Private Endpoint for the Storage Account itself as well.
If everything is configured as you want it you can click on Review + Create, have everything validated by the resource manager and deploy it by clicking on Create. After deployment you can always check the Export Template option within the blade of the Logic App itself to create a ARM template for Infrastructure as Code.
VNET Integration for existing Logic Apps
If you already have an existing Standard based Logic App, it is also possible to add VNET Integration if those services are already in place. Navigate to your Logic App and click on Networking underneath the Settings category.
In the Networking tab you will see multiple options that can be configured such as the Private Endpoint for the Inbound Traffic and the VNET intregration for the Outbound Traffic.
When clicking on the VNET Integration option, you will be able to add a VNET to your Logic App. Click on the + Add VNet to do so. You will need to select an existing VNET but are able to create a new Subnet if not available.
Same goes for the Private Endpoint connections. Click on + Add to start configuring a new Private Endpoint. For configuring the Private Endpoint both the VNET and Subnet would need to exist already.
If you have configured both the Private Endpoint and VNET Integration, the only thing left would be the Private Endpoint for your Storage Account.
Adding a Private Endpoint for your Storage Account would be similar to your Logic App. Navigate to your Storage Account and click on Networking underneath Settings. Since every Endpoint comes with its own Network Interface Card (NIC) it is great that you can add your own naming convention to the your Private Endpoint for Storage Accounts, since the one for the Logic App itself will be autogenarated and can only be renamed if deployed via Infrastructure as Code.
If you configured the naming for the Private Endpoint as well as the NIC can continue to the next tab, and select which target sub-resource you want to add it to. When creating the Private Endpoint during the creation of the Logic App, it will automaticly create it for every single option (Blob, Files, Queue, Disk, Ftp, Web, etc). It will be up to your needs to add each individual option if required.
In the next tab, the Virtual Network can be added which is needed for the Private Endpoint to be part of. Also here it is only possible to select existing VNETs and Subnets. If everything is configured you can go to Review + Create and click on Create to deploy it. As stated you will have to do this multiple times if you want to enable multiple Private Endpoints for the different options (Blob, Files, Queue, Disk, Ftp, Web, etc).
What Next?
It is great to see that Logic Apps can be used for more and more integration, also within Azure itself. In the next blog I will dive into such an integration and show how this can be setup! Stay tuned.