Whitelisting and Logic Apps

As B2B services move from on-premises servers to Azure Logic App, a recurring question is how to do both inbound and outbound (by the partner) whitelisting with such PaaS approach.

On-premises this was easy because each enterprise obtained its own static IP, IPs or IP range. In Azure or any public cloud, the IPs are now owned by the cloud service provider (Microsoft). With IaaS you can still get a static IP assigned to your VM in the cloud. With PaaS, especially multi-tenant PaaS like Logic App, multiple servers behind the scene are servicing multiple tenants and themselves are nodes which may be scaled out or in, and swapped during update deployments. Then the question of "what's my IP?" is no longer trivial. Yet for Logic App actually this remains pretty easy thanks to the work from our engineering team.

To enable your partner whitelisting your IP on your outbound messages, you need to share with them the list of IP addresses for Logic App for the specific region(s) you are using (see link below). If your partner requires a single IP or if you want to invest in the added security to avoid that another user of Logic App in the same region could pass through that filter, you can further use Azure API Management to act as a reverse proxy for the Logic App.

To enable your own whitelisting of IP authorized to send messages to your Logic App, use the Access control configuration for either Azure management portal or in the definition.

I am linking together some existing information here to make it more discoverable.