Skip to main content

Notifications

Announcements

Announcing Category Subscriptions!
News and Announcements icon
Dynamics 365 Community / Blogs / Tips and Tricks for Azure and D365FO / Azure integration: Securing...

Azure integration: Securing Logic app HTTP trigger endpoints

Poojith Jain Profile Picture Poojith Jain 50

The LogicApps with the HTTP Request Trigger is a publicly exposed endpoint, which can be accessed over the internet. These endpoints need to be secured, otherwise, anyone with the URL can post the information to the Logic APP and trigger the Logic App. By default, The endpoint is secured via a couple of mechanisms, including HTTPS and a SAS token.This URL consists of the endpoint address of the Logic App and workflow trigger, and with the following query parameters:

Query parameterDescription
api-version2016-10-01. Specifies the version of the API
spSpecifies permissions for the allowed HTTP methods to use.
svSpecifies the SAS version to use for generating the signature.
sigSpecifies the signature (shared access signature) to use for authenticating access to the trigger. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored with the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key.
  • Access the endpoint using SharedAccess Token: Default
  • Restrict based IP
  • Authorization using Logic App
  • Logic Apps and APIM (Azure API Management)
  • Expose Logic App as API
  • Deploying Logic App in an isolated environment.

Access the endpoint using SharedAccess Token: Default

The SAS signature in the endpoint gives the option to renew the access key periodically or when the endpoints are compromised, but having the SAS token associated with our Logic App is for Authentication, and Authorization in the URL can be problematic. Anyone who knows these token details can easily be sent across inappropriate requests. It is always wise to hide those details or pass them as a header property. The approach to renew the SAS token has shown in the below diagram. The steps to renew are: Go to the Logic App > Find Settings Tab on the Left > Click on Access Keys > Click on “Regenerate Access Key” > Click Ok

Warning! Regenerating the access key will invalidate all SAS URLs created using the select access key and will require calling applications to acquire the new SAS URLs.OK

Azure integration Secure LogicApp Endpoints SharedAccessToken

For the Most of the organizations, these form of security will not meet the security needs as the URL, that includes SAS token, can be copied and used outside the organization without much governance.

Restrict based IP

The Logic App provides out-of-the-box IP-based security. It is possible to restrict or allow a specific IP address or range of IP addresses. The steps to configure are: Go to the Logic App > Find Settings Tab on the Left > Click on Workflow settings > Select Specific IP ranges > Add Allowed IP ranges or IP Address
The Access control configuration of Logic App provides the option to restrict inbound IP addresses and this will ensure that only trusted IP addresses can call a logic app.
Allowed inbound IP address settings provide the option to restrict calls to triggers in this logic app to the provided IP ranges. IP addresses can be either IPv4 or IPv6 and accept range and bitmask range formats. The access control configration also provides an option to Restrict calls to get input and output messages from run history to the provided IP ranges.

Azure Integration Secure LogicApp Endpoints Based IP Range Restriction


This was originally posted here.

Comments

*This post is locked for comments