| title | description | services | ms.suite | ms.reviewer | ms.topic | ms.date |
|---|---|---|---|---|---|---|
Set up a public outbound IP address for ISEs |
Learn how to set up a single public outbound IP address for integration service environments (ISEs) in Azure Logic Apps |
logic-apps |
integration |
jonfan, logicappspm |
conceptual |
05/06/2020 |
When you work with Azure Logic Apps, you can set up an integration service environment (ISE) for hosting logic apps that need access to resources in an Azure virtual network. When you have multiple ISE instances that need access to other endpoints that have IP restrictions, deploy an Azure Firewall or a network virtual appliance into your virtual network and route outbound traffic through that firewall or network virtual appliance. You can then have all the ISE instances in your virtual network use a single, public, static, and predictable IP address to communicate with the destination systems that you want. That way, you don't have to set up additional firewall openings at your destination systems for each ISE.
This topic shows how to route outbound traffic through an Azure Firewall, but you can apply similar concepts to a network virtual appliance such as a third-party firewall from the Azure Marketplace. While this topic focuses on setup for multiple ISE instances, you can also use this approach for a single ISE when your scenario requires limiting the number of IP addresses that need access. Consider whether the additional costs for the firewall or virtual network appliance make sense for your scenario. Learn more about Azure Firewall pricing.
-
An Azure firewall that runs in the same virtual network as your ISE. If you don't have a firewall, first add a subnet that's named
AzureFirewallSubnetto your virtual network. You can then create and deploy a firewall in your virtual network. -
An Azure route table. If you don't have one, first create a route table. For more information about routing, see Virtual network traffic routing.
-
In the Azure portal, select the route table, for example:
-
To add a new route, on the route table menu, select Routes > Add.
-
On the Add route pane, set up the new route with a rule that specifies that all the outbound traffic to the destination system follows this behavior:
-
Uses the Virtual appliance as the next hop type.
-
Goes to the private IP address for the firewall instance as the next hop address.
To find this IP address, on your firewall menu, select Overview, find the address under Private IP address, for example:
Here's an example that shows how such a rule might look:
Property Value Description Route name <unique-route-name> A unique name for the route in the route table Address prefix <destination-address> The address prefix for your destination system where you want outbound traffic to go. Make sure that you use Classless Inter-Domain Routing (CIDR) notation for this address. In this example, this address prefix is for an SFTP server, which is described in the section, Set up network rule. Next hop type Virtual appliance The hop type that's used by outbound traffic Next hop address <firewall-private-IP-address> The private IP address for your firewall -
-
In the Azure portal, find and select your firewall. On the firewall menu, under Settings, select Rules. On the rules pane, select Network rule collection > Add network rule collection.
-
In the collection, add a rule that permits traffic to the destination system.
For example, suppose that you have a logic app that runs in an ISE and needs to communicate with an SFTP server. You create a network rule collection that's named
LogicApp_ISE_SFTP_Outbound, which contains a network rule namedISE_SFTP_Outbound. This rule permits traffic from the IP address of any subnet where your ISE runs in your virtual network to the destination SFTP server by using your firewall's private IP address.
Network rule collection properties
Property Value Description Name <network-rule-collection-name> The name for your network rule collection Priority <priority-level> The order of priority to use for running the rule collection. For more information, see What are some Azure Firewall concepts? Action Allow The action type to perform for this rule Network rule properties
Property Value Description Name <network-rule-name> The name for your network rule Protocol <connection-protocols> The connection protocols to use. For example, if you're using NSG rules, select both TCP and UDP, not only TCP. Source addresses <ISE-subnet-addresses> The subnet IP addresses where your ISE runs and where traffic from your logic app originates Destination addresses <destination-IP-address> The IP address for your destination system where you want outbound traffic to go. In this example, this IP address is for the SFTP server. Destination ports <destination-ports> Any ports that your destination system uses for inbound communication For more information about network rules, see these articles:
