Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE)
This capability is in public preview.
For scenarios where your logic apps and integration accounts need access to an Azure virtual network, create an integration service environment (ISE). An ISE is a private and isolated environment that uses dedicated storage and other resources that are kept separate from the public or "global" Logic Apps service. This separation also reduces any impact that other Azure tenants might have on your apps' performance. Your ISE is injected into to your Azure virtual network, which then deploys the Logic Apps service into your virtual network. When you create a logic app or integration account, select this ISE as their location. Your logic app or integration account can then directly access resources, such as virtual machines (VMs), servers, systems, and services, in your virtual network.
This article shows how to complete these tasks:
Set up ports on your Azure virtual network so traffic can travel through your integration service environment (ISE) across subnets in your virtual network.
Create your integration service environment (ISE).
Create a logic app that can run in your ISE.
Create an integration account for your logic apps in your ISE.
For more information about integration service environments, see Access to Azure Virtual Network resources from Azure Logic Apps.
An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.
Logic apps, built-in actions, and connectors that run in your ISE use a different pricing plan, not the consumption-based pricing plan. For more information, see Logic Apps pricing.
Your virtual network must have four empty subnets for deploying and creating resources in your ISE. You can create these subnets in advance, or you can wait until you create your ISE where you can create subnets at the same time. Learn more about subnet requirements.
Make sure that your virtual network makes these ports available so your ISE works correctly and stays accessible.
If you want to use custom DNS servers for your Azure virtual network, set up those servers by following these steps before you deploy your ISE to your virtual network. Otherwise, each time you change your DNS server, you also have to restart your ISE, which is a capability that's available with ISE public preview.
Basic knowledge about how to create logic apps
Set up network ports
To work correctly and stay accessible, your integration service environment (ISE) needs to have specific ports available on your virtual network. Otherwise, if any of these ports are unavailable, you might lose access to your ISE, which might stop working. When you use an ISE in a virtual network, a common setup problem is having one or more blocked ports. For connections between your ISE and the destination system, the connector you use might also have its own port requirements. For example, if you communicate with an FTP system by using the FTP connector, make sure the port you use on that FTP system, such as port 21 for sending commands, is available.
To control the traffic across the virtual network's subnets where you deploy your ISE, you can set up network security groups for those subnets by filtering network traffic across subnets. These tables describe the ports in your virtual network that your ISE uses and where those ports get used. The service tag represents a group of IP address prefixes that help minimize complexity when creating security rules.
For internal communication inside your subnets, ISE requires that you open all ports within those subnets.
|Purpose||Direction||Ports||Source service tag||Destination service tag||Notes|
|Communication from Azure Logic Apps||Outbound||80 & 443||VIRTUAL_NETWORK||INTERNET||The port depends on the external service with which the Logic Apps service communicates|
|Azure Active Directory||Outbound||80 & 443||VIRTUAL_NETWORK||AzureActiveDirectory|
|Azure Storage dependency||Outbound||80 & 443||VIRTUAL_NETWORK||Storage|
|Intersubnet communication||Inbound & Outbound||80 & 443||VIRTUAL_NETWORK||VIRTUAL_NETWORK||For communication between subnets|
|Communication to Azure Logic Apps||Inbound||443||INTERNET||VIRTUAL_NETWORK||The IP address for the computer or service that calls any request trigger or webhook that exists in your logic app. Closing or blocking this port prevents HTTP calls to logic apps with request triggers.|
|Logic app run history||Inbound||443||INTERNET||VIRTUAL_NETWORK||The IP address for the computer from which you view the logic app's run history. Although closing or blocking this port doesn't prevent you from viewing the run history, you can't view the inputs and outputs for each step in that run history.|
|Publish Diagnostic Logs & Metrics||Outbound||443||VIRTUAL_NETWORK||AzureMonitor|
|Logic Apps Designer - dynamic properties||Inbound||454||INTERNET||VIRTUAL_NETWORK||Requests come from the Logic Apps access endpoint inbound IP addresses in that region.|
|App Service Management dependency||Inbound||454 & 455||AppServiceManagement||VIRTUAL_NETWORK|
|Connector deployment||Inbound||454 & 3443||INTERNET||VIRTUAL_NETWORK||Necessary for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes.|
|Azure SQL dependency||Outbound||1433||VIRTUAL_NETWORK||SQL|
|Azure Resource Health||Outbound||1886||VIRTUAL_NETWORK||INTERNET||For publishing health status to Resource Health|
|API Management - management endpoint||Inbound||3443||APIManagement||VIRTUAL_NETWORK|
|Dependency from Log to Event Hub policy and monitoring agent||Outbound||5672||VIRTUAL_NETWORK||EventHub|
|Access Azure Cache for Redis Instances between Role Instances||Inbound
|6379-6383||VIRTUAL_NETWORK||VIRTUAL_NETWORK||Also, for ISE to work with Azure Cache for Redis, you must open these outbound and inbound ports described in the Azure Cache for Redis FAQ.|
|Azure Load Balancer||Inbound||*||AZURE_LOAD_BALANCER||VIRTUAL_NETWORK|
Create your ISE
To create your integration service environment (ISE), follow these steps:
In the Azure portal, on the main Azure menu, select Create a resource.
In the search box, enter "integration service environment" as your filter. From the results list, select Integration Service Environment (preview), and then choose Create.
Provide these details for your environment, and then choose Review + create, for example:
Property Required Value Description Subscription Yes <Azure-subscription-name> The Azure subscription to use for your environment Resource group Yes <Azure-resource-group-name> The Azure resource group where you want to create your environment Integration Service Environment Name Yes <environment-name> The name to give your environment Location Yes <Azure-datacenter-region> The Azure datacenter region where to deploy your environment Additional capacity Yes 0, 1, 2, 3 The number of processing units to use for this ISE resource. To add capacity after creation, see Add capacity. Virtual network Yes <Azure-virtual-network-name> The Azure virtual network where you want to inject your environment so logic apps in that environment can access your virtual network. If you don't have a network, you can create one here.
Important: You can only perform this injection when you create your ISE. However, before you can create this relationship, make sure you already set up role-based access control in your virtual network for Azure Logic Apps.
Subnets Yes <subnet-resource-list> An ISE requires four empty subnets for creating resources in your environment. To create each subnet, follow the steps under this table.
To create resources in your environment, your ISE needs four empty subnets that aren't delegated to any service. You can't change these subnet addresses after you create your environment. Each subnet must meet these criteria:
Has a name that starts with an alphabetic character or an underscore, and doesn't have these characters:
Uses the Classless Inter-Domain Routing (CIDR) format and a Class B address space.
Uses at least a
/27in the address space because each subnet must have 32 addresses as the minimum. For example:
10.0.0.0/27has 32 addresses because 2(32-27) is 25 or 32.
10.0.0.0/24has 256 addresses because 2(32-24) is 28 or 256.
10.0.0.0/28has only 16 addresses and is too small because 2(32-28) is 24 or 16.
To learn more about calculating addresses, see IPv4 CIDR blocks.
Under the Subnets list, choose Manage subnet configuration.
On the Subnets pane, choose Subnet.
On the Add subnet pane, provide this information.
- Name: The name for your subnet
- Address range (CIDR block): Your subnet's range in your virtual network and in CIDR format
When you're done, choose OK.
Repeat these steps for three more subnets.
After Azure successfully validates your ISE information, choose Create, for example:
Azure starts deploying your environment, but this process might take up to two hours before finishing. To check deployment status, on your Azure toolbar, choose the notifications icon, which opens the notifications pane.
If deployment finishes successfully, Azure shows this notification:
If deployment fails or you delete your ISE, Azure might take up to an hour before releasing your subnets. So, you might have to wait before reusing those subnets in another ISE.
To view your environment, choose Go to resource if Azure doesn't automatically go to your environment after deployment finishes.
Your ISE base unit has fixed capacity, so if you need more throughput, you can add more scale units. You can autoscale based on performance metrics or based on a number of processing units. If you choose autoscaling based on metrics, you can choose from various criteria and specify the threshold conditions for meeting that criteria.
In the Azure portal, find your ISE.
To view performance metrics for your ISE, on your ISE's main menu, choose Overview.
To set up autoscaling, under Settings, select Scale out. On the Configure tab, choose Enable autoscale.
In the Default section, choose either Scale based on a metric or Scale to a specific instance count.
If you choose instance-based, enter the number of processing units between 0 and 3 inclusively. Otherwise, for metric-based, follow these steps:
In the Default section, choose Add a rule.
On the Scale rule pane, set up your criteria and action to take when the rule triggers.
When you're done, choose Add.
When you're finished, remember to save your changes.
Create logic app - ISE
To create logic apps that use your integration service environment (ISE), follow the steps in how to create a logic app but with these differences:
When you create your logic app, under the Location property, select your ISE from the Integration service environments section, for example:
You can use the same built-in triggers and actions such as HTTP, which run in the same ISE as your logic app. Connectors with the ISE label also run in the same ISE as your logic app. Connectors without the ISE label run in the global Logic Apps service.
After you inject your ISE into an Azure virtual network, the logic apps in your ISE can directly access resources in that virtual network. For on-premises systems that are connected to a virtual network, inject an ISE into that network so your logic apps can directly access those systems by using any of these items:
ISE connector for that system, for example, SQL Server
For on-premises systems that aren't in a virtual network or don't have ISE connectors, first set up the on-premises data gateway.
Create integration account - ISE
To use an integration account with logic apps in an integration service environment (ISE), that integration account must use the same environment as the logic apps. Logic apps in an ISE can reference only integration accounts in the same ISE.
To create an integration account that uses an ISE, follow the steps in how to create integration accounts except for the Location property where the Integration service environments section now appears. Instead, select your ISE, rather than a region, for example:
- For questions, visit the Azure Logic Apps forum.
- To submit or vote on feature ideas, visit the Logic Apps user feedback site.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.