Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE)
For scenarios where your logic apps and integration accounts need access to an Azure virtual network, create an integration service environment (ISE). An ISE is a private and isolated environment that uses dedicated storage and other resources that are kept separate from the public or "global" Logic Apps service. This separation also reduces any impact that other Azure tenants might have on your apps' performance.
When you create an ISE, Azure injects that ISE into your Azure virtual network, which then deploys the Logic Apps service into your virtual network. When you create a logic app or integration account, select your ISE as their location. Your logic app or integration account can then directly access resources, such as virtual machines (VMs), servers, systems, and services, in your virtual network.
For logic apps and integration accounts to work together in an ISE, both must use the same ISE as their location.
An ISE has increased limits on run duration, storage retention, throughput, HTTP request and response timeouts, message sizes, and custom connector requests. For more information, see Limits and configuration for Azure Logic Apps. To learn more about ISEs, see Access to Azure Virtual Network resources from Azure Logic Apps.
This article shows how to complete these tasks:
Make sure any necessary ports on your virtual network are open so that traffic can travel through your ISE across the subnets in that virtual network.
Create your ISE.
Add extra capacity to your ISE.
Logic apps, built-in triggers, built-in actions, and connectors that run in your ISE use a pricing plan different from the consumption-based pricing plan. To learn how pricing and billing work for ISEs, see the Logic Apps pricing model. For pricing rates, see Logic Apps pricing.
An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.
Your virtual network must have four empty subnets for creating and deploying resources in your ISE. You can create these subnets in advance, or you can wait until you create your ISE where you can create subnets at the same time. Learn more about subnet requirements.
Make sure that your virtual network makes these ports available so your ISE works correctly and stays accessible.
If you want to use custom DNS servers for your Azure virtual network, set up those servers by following these steps before you deploy your ISE to your virtual network. Otherwise, each time you change your DNS server, you also have to restart your ISE, which is a capability that's available with ISE public preview.
Check network ports
When you use an ISE with an existing virtual network, a common setup problem is having one or more blocked ports. The connectors that you use for creating connections between your ISE and the destination system might also have their own port requirements. For example, if you communicate with an FTP system by using the FTP connector, make sure the port you use on that FTP system, such as port 21 for sending commands, is available.
If you created a new virtual network and subnets without any constraints, you don't need to set up network security groups (NSGs) in your virtual network so that you can control traffic across subnets. For an existing virtual network, you can optionally set up NSGs by filtering network traffic across subnets. If you choose this route, make sure that your ISE opens specific ports, as described in the following table, on the virtual network that has the NSGs. So, for existing NSGs or firewalls in your virtual network, make sure that they open these ports. That way, your ISE stays accessible and can work correctly so that you don't lose access to your ISE. Otherwise, if any required ports are unavailable, your ISE stops working.
For internal communication inside your subnets, ISE requires that you open all ports within those subnets.
This table describes the ports in your virtual network that your ISE uses and where those ports get used. The Resource Manager service tags represents a group of IP address prefixes that help minimize complexity when creating security rules.
Source ports are ephemeral, so set them to
* for all rules.
|Purpose||Direction||Destination ports||Source service tag||Destination service tag||Notes|
|Communication from Azure Logic Apps||Outbound||80, 443||VirtualNetwork||Internet||The port depends on the external service with which the Logic Apps service communicates|
|Azure Active Directory||Outbound||80, 443||VirtualNetwork||AzureActiveDirectory|
|Azure Storage dependency||Outbound||80, 443||VirtualNetwork||Storage|
|Intersubnet communication||Inbound & Outbound||80, 443||VirtualNetwork||VirtualNetwork||For communication between subnets|
|Communication to Azure Logic Apps||Inbound||443||Internal access endpoints:
External access endpoints:
|VirtualNetwork||The IP address for the computer or service that calls any request trigger or webhook that exists in your logic app. Closing or blocking this port prevents HTTP calls to logic apps with request triggers.|
|Logic app run history||Inbound||443||Internal access endpoints:
External access endpoints:
|VirtualNetwork||The IP address for the computer from which you view the logic app's run history. Although closing or blocking this port doesn't prevent you from viewing the run history, you can't view the inputs and outputs for each step in that run history.|
|Publish Diagnostic Logs & Metrics||Outbound||443||VirtualNetwork||AzureMonitor|
|Communication from Azure Traffic Manager||Inbound||443||AzureTrafficManager||VirtualNetwork|
|Logic Apps Designer - dynamic properties||Inbound||454||Internet||VirtualNetwork||Requests come from the Logic Apps access endpoint inbound IP addresses in that region.|
|App Service Management dependency||Inbound||454, 455||AppServiceManagement||VirtualNetwork|
|Connector deployment||Inbound||454||AzureConnectors||VirtualNetwork||Necessary for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes.|
|Connector policy deployment||Inbound||3443||Internet||VirtualNetwork||Necessary for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes.|
|Azure SQL dependency||Outbound||1433||VirtualNetwork||SQL|
|Azure Resource Health||Outbound||1886||VirtualNetwork||AzureMonitor||For publishing health status to Resource Health|
|API Management - management endpoint||Inbound||3443||APIManagement||VirtualNetwork|
|Dependency from Log to Event Hub policy and monitoring agent||Outbound||5672||VirtualNetwork||EventHub|
|Access Azure Cache for Redis Instances between Role Instances||Inbound
|6379-6383||VirtualNetwork||VirtualNetwork||Also, for ISE to work with Azure Cache for Redis, you must open these outbound and inbound ports described in the Azure Cache for Redis FAQ.|
|Azure Load Balancer||Inbound||*||AzureLoadBalancer||VirtualNetwork|
Create your ISE
To create your integration service environment (ISE), follow these steps:
In the Azure portal, on the main Azure menu, select Create a resource. In the search box, enter "integration service environment" as your filter.
On the Integration Service Environment creation pane, choose Create.
Provide these details for your environment, and then choose Review + create, for example:
Property Required Value Description Subscription Yes <Azure-subscription-name> The Azure subscription to use for your environment Resource group Yes <Azure-resource-group-name> The Azure resource group where you want to create your environment Integration service environment name Yes <environment-name> Your ISE name, which can contain only letters, numbers, hyphens (
-), underscores (
_), and periods (
Location Yes <Azure-datacenter-region> The Azure datacenter region where to deploy your environment SKU Yes Premium or Developer (No SLA) The ISE SKU to create and use. For differences between these SKUs, see ISE SKUs.
Important: This option is available only at ISE creation and can't be changed later.
Additional capacity Premium:
0 to 10
The number of additional processing units to use for this ISE resource. To add capacity after creation, see Add ISE capacity. Access endpoint Yes Internal or External The type of access endpoints to use for your ISE, which determine whether request or webhook triggers on logic apps in your ISE can receive calls from outside your virtual network. The endpoint type also affects access to inputs and outputs in your logic app runs history. For more information, see Endpoint access.
Important: This option is available only at ISE creation and can't be changed later.
Virtual network Yes <Azure-virtual-network-name> The Azure virtual network where you want to inject your environment so logic apps in that environment can access your virtual network. If you don't have a network, create an Azure virtual network first.
Important: You can only perform this injection when you create your ISE.
Subnets Yes <subnet-resource-list> An ISE requires four empty subnets for creating and deploying resources in your environment. To create each subnet, follow the steps under this table.
To create and deploy resources in your environment, your ISE needs four empty subnets that aren't delegated to any service. You can't change these subnet addresses after you create your environment. Each subnet must meet these criteria:
Has a name that starts with an alphabetic character or an underscore, and doesn't have these characters:
Uses the Classless Inter-Domain Routing (CIDR) format and a Class B address space.
Uses at least a
/27in the address space because each subnet must have at least 32 addresses as a minimum. For example:
10.0.0.0/27has 32 addresses because 2(32-27) is 25 or 32.
10.0.0.0/24has 256 addresses because 2(32-24) is 28 or 256.
10.0.0.0/28has only 16 addresses and is too small because 2(32-28) is 24 or 16.
To learn more about calculating addresses, see IPv4 CIDR blocks.
Address prefix: 0.0.0.0/0
Next hop: Internet
Under the Subnets list, choose Manage subnet configuration.
On the Subnets pane, choose Subnet.
On the Add subnet pane, provide this information.
- Name: The name for your subnet
- Address range (CIDR block): Your subnet's range in your virtual network and in CIDR format
When you're done, choose OK.
Repeat these steps for three more subnets.
If the subnets you try to create aren't valid, the Azure portal shows a message, but doesn't block your progress.
For more information about creating subnets, see Add a virtual network subnet.
After Azure successfully validates your ISE information, choose Create, for example:
Azure starts deploying your environment, but this process might take up to two hours before finishing. To check deployment status, on your Azure toolbar, choose the notifications icon, which opens the notifications pane.
If deployment finishes successfully, Azure shows this notification:
Otherwise, follow the Azure portal instructions for troubleshooting deployment.
If deployment fails or you delete your ISE, Azure might take up to an hour before releasing your subnets. This delay means means you might have to wait before reusing those subnets in another ISE.
If you delete your virtual network, Azure generally takes up to two hours before releasing up your subnets, but this operation might take longer. When deleting virtual networks, make sure that no resources are still connected. See Delete virtual network.
To view your environment, choose Go to resource if Azure doesn't automatically go to your environment after deployment finishes.
To check the network health for your ISE, see Manage your integration service environment.
To start creating logic apps and other artifacts in your ISE, see Add artifacts to integration service environments.
Add ISE capacity
The Premium ISE base unit has fixed capacity, so if you need more throughput, you can add more scale units, either during creation or afterwards. You can autoscale based on performance metrics or based on a number of additional processing units. If you choose autoscaling based on metrics, you can choose from various criteria and specify the threshold conditions for meeting that criteria. The Developer SKU doesn't include the capability to add scale units.
In the Azure portal, find your ISE.
To review usage and performance metrics for your ISE, on your ISE's main menu, select Overview.
To set up autoscaling, under Settings, select Scale out. On the Configure tab, choose Enable autoscale.
For Autoscale setting name, provide a name for your setting.
In the Default section, choose either Scale based on a metric or Scale to a specific instance count.
If you choose instance-based, enter the number of processing units between 0 and 10 inclusively.
If you choose metric-based, follow these steps:
In the Rules section, choose Add a rule.
On the Scale rule pane, set up your criteria and action to take when the rule triggers.
When you're done, choose Add.
When you're finished with your autoscale settings, save your changes.