Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE)
For scenarios where your logic apps and integration accounts need access to an Azure virtual network, create an integration service environment (ISE). An ISE is an isolated environment that uses dedicated storage and other resources that are kept separate from the public, "global", multi-tenant Logic Apps service. This separation also reduces any impact that other Azure tenants might have on your apps' performance. An ISE also provides you with your own static IP addresses. These IP addresses are separate from the static IP addresses that are shared by the logic apps in the public, multi-tenant service.
When you create an ISE, Azure injects that ISE into your Azure virtual network, which then deploys the Logic Apps service into your virtual network. When you create a logic app or integration account, select your ISE as their location. Your logic app or integration account can then directly access resources, such as virtual machines (VMs), servers, systems, and services, in your virtual network.
For logic apps and integration accounts to work together in an ISE, both must use the same ISE as their location.
An ISE has increased limits on run duration, storage retention, throughput, HTTP request and response timeouts, message sizes, and custom connector requests. For more information, see Limits and configuration for Azure Logic Apps. To learn more about ISEs, see Access to Azure Virtual Network resources from Azure Logic Apps.
This article shows you how to complete these tasks:
- Enable access for your ISE.
- Create your ISE.
- Add extra capacity to your ISE.
Logic apps, built-in triggers, built-in actions, and connectors that run in your ISE use a pricing plan different from the consumption-based pricing plan. To learn how pricing and billing work for ISEs, see the Logic Apps pricing model. For pricing rates, see Logic Apps pricing.
An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.
Your virtual network needs to have four empty subnets for creating and deploying resources in your ISE. Each subnet supports a different Logic Apps component for your ISE. You can create these subnets in advance, or you can wait until you create your ISE where you can create subnets at the same time. Learn more about subnet requirements.
Subnet names need to start with either an alphabetic character or an underscore and can't use these characters:
If you want to deploy the ISE through an Azure Resource Manager template, first make sure that you delegate one empty subnet to Microsoft.Logic/integrationServiceEnvironment. You don't need to do this delegation when you deploy through the Azure portal.
Make sure that your virtual network enables access for your ISE so that your ISE can work correctly and stay accessible.
If you use ExpressRoute, which provides a private connection to Microsoft cloud services that's facilitated by the connectivity provider, you must create a route table that has the following route and link that table to each subnet that's used by your ISE:
Address prefix: 0.0.0.0/0
Next hop: Internet
If you want to use custom DNS servers for your Azure virtual network, set up those servers by following these steps before you deploy your ISE to your virtual network. Otherwise, each time you change your DNS server, you also have to restart your ISE.
If you change your DNS server settings after you create an ISE, make sure that you restart your ISE. For more information about managing DNS server settings, see Create, change, or delete a virtual network.
Enable access for ISE
When you use an ISE with an Azure virtual network, a common setup problem is having one or more blocked ports. The connectors that you use for creating connections between your ISE and destination systems might also have their own port requirements. For example, if you communicate with an FTP system by using the FTP connector, the port that you use on your FTP system needs to be available, for example, port 21 for sending commands.
To make sure that your ISE is accessible and that the logic apps in that ISE can communicate across each subnet in your virtual network, open the ports described in this table for each subnet. If any required ports are unavailable, your ISE won't work correctly.
If you have multiple ISE instances that need access to other endpoints that have IP restrictions, deploy an Azure Firewall or a network virtual appliance into your virtual network and route outbound traffic through that firewall or network virtual appliance. You can then set up a single, outbound, public, static, and predictable IP address that all the ISE instances in your virtual network can use to communicate with destination systems. That way, you don't have to set up additional firewall openings at those destination systems for each ISE.
You can use this approach for a single ISE when your scenario requires limiting the number of IP addresses that need access. Consider whether the additional costs for the firewall or virtual network appliance make sense for your scenario. Learn more about Azure Firewall pricing.
If you created a new Azure virtual network and subnets without any constraints, you don't need to set up network security groups (NSGs) in your virtual network to control traffic across subnets.
On an existing virtual network, you can optionally set up NSGs by filtering network traffic across subnets. If you want to go this route, or if you're already using NSGs, make sure that you open the ports in this table on the virtual network where you have NSGs or want to set up NSGs.
If you use NSG security rules, you need to use both the TCP and UDP protocols. NSG security rules describe the ports that you must open for the IP addresses that need access to those ports. Make sure that any firewalls, routers, or other items that exist between these endpoints also keep those ports accessible to those IP addresses.
Network ports used by your ISE
This table describes the ports in your Azure virtual network that your ISE uses and where those ports get used. The Resource Manager service tags represents a group of IP address prefixes that help minimize complexity when creating security rules.
Source ports are ephemeral, so make sure that you set them to
* for all rules.
Where noted, internal ISE and external ISE refer to the
endpoint that's selected at ISE creation.
For more information, see Endpoint access.
|Purpose||Direction||Destination ports||Source service tag||Destination service tag||Notes|
|Intrasubnet communication||Inbound & Outbound||*||Address space for the virtual network with the ISE subnets||Address space for the virtual network with the ISE subnets||Required so that traffic can flow inside each subnet.
Important: For communication between components inside subnets, make sure that you open all the ports within those subnets.
|Intersubnet communication||Inbound & Outbound||80, 443||VirtualNetwork||VirtualNetwork||For communication between subnets|
|Communication from Azure Logic Apps||Outbound||80, 443||VirtualNetwork||Internet||The port depends on the external service with which the Logic Apps service communicates|
|Azure Active Directory||Outbound||80, 443||VirtualNetwork||AzureActiveDirectory|
|Azure Storage dependency||Outbound||80, 443, 445||VirtualNetwork||Storage|
|Communication to Azure Logic Apps||Inbound||443||Internal ISE:
|VirtualNetwork||The IP address for the computer or service that calls any request triggers or webhooks in your logic app. Closing or blocking this port prevents HTTP calls to logic apps with request triggers.|
|Logic app run history||Inbound||443||Internal ISE:
|VirtualNetwork||The IP address for the computer from where you want to view your logic app's run history. Although closing or blocking this port doesn't prevent you from viewing the run history, you can't view the inputs and outputs for each step in that run history.|
|Publish Diagnostic Logs & Metrics||Outbound||443||VirtualNetwork||AzureMonitor|
|Communication from Azure Traffic Manager||Inbound||Internal ISE: 454
External ISE: 443
|Logic Apps Designer - dynamic properties||Inbound||454||See Notes column for IP addresses to allow||VirtualNetwork||Requests come from the Logic Apps access endpoint inbound IP addresses for that region.|
|Network health check||Inbound||454||See Notes column for IP addresses to allow||VirtualNetwork||Requests come from the Logic Apps access endpoint for both inbound and outbound IP addresses for that region.|
|App Service Management dependency||Inbound||454, 455||AppServiceManagement||VirtualNetwork|
|Connector deployment||Inbound||454||AzureConnectors||VirtualNetwork||Necessary for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes.|
|Connector policy deployment||Inbound||3443||APIManagement||VirtualNetwork||Necessary for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes.|
|Azure SQL dependency||Outbound||1433||VirtualNetwork||SQL|
|Azure Resource Health||Outbound||1886||VirtualNetwork||AzureMonitor||For publishing health status to Resource Health|
|API Management - management endpoint||Inbound||3443||APIManagement||VirtualNetwork|
|Dependency from Log to Event Hub policy and monitoring agent||Outbound||5672||VirtualNetwork||EventHub|
|Access Azure Cache for Redis Instances between Role Instances||Inbound
|6379-6383||VirtualNetwork||VirtualNetwork||Also, for ISE to work with Azure Cache for Redis, you must open these outbound and inbound ports described in the Azure Cache for Redis FAQ.|
|Azure Load Balancer||Inbound||*||AzureLoadBalancer||VirtualNetwork|
Create your ISE
In the Azure portal, in the main Azure search box, enter
integration service environmentsas your filter, and select Integration Service Environments.
On the Integration Service Environments pane, select Add.
Provide these details for your environment, and then select Review + create, for example:
Property Required Value Description Subscription Yes <Azure-subscription-name> The Azure subscription to use for your environment Resource group Yes <Azure-resource-group-name> A new or existing Azure resource group where you want to create your environment Integration service environment name Yes <environment-name> Your ISE name, which can contain only letters, numbers, hyphens (
-), underscores (
_), and periods (
Location Yes <Azure-datacenter-region> The Azure datacenter region where to deploy your environment SKU Yes Premium or Developer (No SLA) The ISE SKU to create and use. For differences between these SKUs, see ISE SKUs.
Important: This option is available only at ISE creation and can't be changed later.
Additional capacity Premium:
0 to 10
The number of additional processing units to use for this ISE resource. To add capacity after creation, see Add ISE capacity. Access endpoint Yes Internal or External The type of access endpoints to use for your ISE. These endpoints determine whether request or webhook triggers on logic apps in your ISE can receive calls from outside your virtual network.
Your selection also affects the way that you can view and access inputs and outputs in your logic app runs history. For more information, see ISE endpoint access.
Important: This option is available only at ISE creation and can't be changed later.
Virtual network Yes <Azure-virtual-network-name> The Azure virtual network where you want to inject your environment so logic apps in that environment can access your virtual network. If you don't have a network, create an Azure virtual network first.
Important: You can only perform this injection when you create your ISE.
Subnets Yes <subnet-resource-list> An ISE requires four empty subnets for creating and deploying resources in your environment. To create each subnet, follow the steps under this table.
To create and deploy resources in your environment, your ISE needs four empty subnets that aren't delegated to any service. You can't change these subnet addresses after you create your environment.
Subnet names must start with either an alphabetic character or an underscore (no numbers), and doesn't use these characters:
Also, each subnet must meet these requirements:
Uses the Classless Inter-Domain Routing (CIDR) format and a Class B address space.
Uses at least a
/27in the address space because each subnet requires at least 32 addresses minimum. For example:
10.0.0.0/27has 32 addresses because 2(32-27) is 25 or 32.
10.0.0.0/24has 256 addresses because 2(32-24) is 28 or 256.
10.0.0.0/28has only 16 addresses and is too small because 2(32-28) is 24 or 16.
To learn more about calculating addresses, see IPv4 CIDR blocks.
Address prefix: 0.0.0.0/0
Next hop: Internet
Under the Subnets list, select Manage subnet configuration.
On the Subnets pane, select Subnet.
On the Add subnet pane, provide this information.
- Name: The name for your subnet
- Address range (CIDR block): Your subnet's range in your virtual network and in CIDR format
When you're done, select OK.
Repeat these steps for three more subnets.
If the subnets you try to create aren't valid, the Azure portal shows a message, but doesn't block your progress.
For more information about creating subnets, see Add a virtual network subnet.
After Azure successfully validates your ISE information, select Create, for example:
Azure starts deploying your environment, which usually takes within two hours to finish. Occasionally, deployment might take up to four hours. To check deployment status, on your Azure toolbar, select the notifications icon, which opens the notifications pane.
If deployment finishes successfully, Azure shows this notification:
Otherwise, follow the Azure portal instructions for troubleshooting deployment.
If deployment fails or you delete your ISE, Azure might take up to an hour before releasing your subnets. This delay means means you might have to wait before reusing those subnets in another ISE.
If you delete your virtual network, Azure generally takes up to two hours before releasing up your subnets, but this operation might take longer. When deleting virtual networks, make sure that no resources are still connected. See Delete virtual network.
To view your environment, select Go to resource if Azure doesn't automatically go to your environment after deployment finishes.
To check the network health for your ISE, see Manage your integration service environment.
To start creating logic apps and other artifacts in your ISE, see Add artifacts to integration service environments.
Managed ISE connectors that become available after you create your ISE don't automatically appear in the connector picker on the Logic App Designer. Before you can use these ISE connectors, you have to manually add those connectors to your ISE so that they appear in the Logic App Designer.
Add ISE capacity
The Premium ISE base unit has fixed capacity, so if you need more throughput, you can add more scale units, either during creation or afterwards. The Developer SKU doesn't include the capability to add scale units.
In the Azure portal, find your ISE.
To review usage and performance metrics for your ISE, on your ISE menu, select Overview.
Under Settings, select Scale out. On the Configure pane, select from these options:
- Manual scale: Scale based on the number of processing units that you want to use.
- Custom autoscale: Scale based on performance metrics by selecting from various criteria and specifying the threshold conditions for meeting that criteria.
After you select Manual scale, for Additional capacity, select the number of scaling units that you want to use.
When you're done, select Save.
After you select Custom autoscale, for Autoscale setting name, provide a name for your setting and optionally, select the Azure resource group where the setting belongs.
For the Default condition, select either Scale based on a metric or Scale to a specific instance count.
If you choose instance-based, enter the number for the processing units, which is a value from 0 to 10.
If you choose metric-based, follow these steps:
In the Rules section, select Add a rule.
On the Scale rule pane, set up your criteria and action to take when the rule triggers.
For Instance limits, specify these values:
- Minimum: The minimum number of processing units to use
- Maximum: The maximum number of processing units to use
- Default: If any problems happen while reading the resource metrics, and the current capacity is below the default capacity, autoscaling scales out to the default number of processing units. However, if the current capacity exceeds the default capacity, autoscaling doesn't scale in.
To add another condition, select Add scale condition.
When you're finished with your autoscale settings, save your changes.
Before you delete an ISE that you no longer need or an Azure resource group that contains an ISE, check that you have no policies or locks on the Azure resource group that contains these resources or on your Azure virtual network because these items can block deletion.
After you delete your ISE, you might have to wait up to 9 hours before you try to delete your Azure virtual network or subnets.