Securing your Logic App via API Management

There are different ways in which we can protect our Logic App either by generating a shared access signature, restricting IP addresses, using Azure AD, exposing your Logic APP using API management and leveraging its benefits or other way could be use of Integration Service Environment where your Logic APP is deployed in an isolated environment.

Every request endpoint of a Logic APP has a Shared access signature associated with it.

securelogicAPP

I have created a simple Logic App called demoLogicapp which returns – “Hello World”. Below is the URL for my Logic App.

https://prod53.westeurope.logic.azure.com:443/workflows
/e322b4e175ee4a309c44bec81bc4a4ce/triggers/manual/paths
/invoke?api-version=2016-10 01&
sp=%2Ftriggers%2Fmanual%2Frun&
sv=1.0&
sig=k-4VwISupctjSKBEFguSfXgcpkPykwAaxTCOY8c6g0Y

The main purpose of the SAS token associated with our Logic App is for Authentication and Authorization. But having those details in the URL can be problematic. Anyone who knows these token details can easily sent across inappropriate request. Its always wise to hide those details or pass as a header property like (subscription-key, Bearer-Token etc) before sending it across for use.

Navigate to your API management service in Azure and lets add a new API. I will select the “demoLogicapp” created earlier and click on CREATE.

securelogicAPP1

securelogicAPP3

Once the API is created click on the below highlighted icon – FRONT END. Here we will define the Header for our API.

  • Content-Type
  • SAS-Token

securelogicAPP4

securelogicAPP5

Now if we look at the Logic App URI we had, the below highlighted we would like to pass as SAS-Token in the header property of our API request we defined above.

https://prod53.westeurope.logic.azure.com:443/workflows
/e322b4e175ee4a309c44bec81bc4a4ce/triggers/manual/paths
/invoke?api-version=2016-10 01&
sp=%2Ftriggers%2Fmanual%2Frun&
sv=1.0&
sig=k-4VwISupctjSKBEFguSfXgcpkPykwAaxTCOY8c6g0Y

This value you can see in the Named values tab of the API management property which let you define common values or secrets in your API management instance, which can be referenced from policies.

securelogicAPP6

Now let’s set the policy so that the SAS-Token can be sent across in the Header of the API request we defined above. Navigate to policies of your demoLogicapp and click on code view. </>

securelogicAPP7

Create a new variable called sasToken as below –

securelogicapp8Make the necessary changes to re-write-Uri. The template attribute here is responsible for routing your request from API to Logic app instance.

Remove the highlighted part from the rewrite-uri.

Previously

securelogicapp9

Afterwards

securelogicapp10

Now let’s set the set-query-parameter which will helps us to pass the value to the SAS-Token in the header. 

securelogicapp11

Now let’s test the Logic App using postman. On passing successfully header properties you will get a successful response back. For test case I passed an invalid Token and get an authentication issue. Later passing a correct value gives you an appropriate response back.

securelogicAPP8

securelogicAPP9

You can add a further security by restricting or allowing a specific IP addresses. Navigate through Workflow settings of your Logic App and do as below –

securelogicAPP10

When I now run the Postman back, I get the error message as follows. As soon as I whitelist the IP in the workflow settings, I can see a successful response back.

securelogicAPP11

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s