Guest Yinduo Posted February 1, 2023 Posted February 1, 2023 According to official documentation: Deploy single-tenant Standard logic apps to private storage accounts using private endpoints - Deploy Standard logic apps to private storage accounts - Azure Logic Apps Quote: "This deployment method requires that temporary public access to your storage account. If you can't enable public access due to your organization's policies, you can still deploy your logic app to a private storage account. " The description from above essentially means that the Deployment method available at Azure portal requires its selection of back-end storage account to be accessible from public network, or otherwise the deployment won't be successful. And to work around this situation(if we wish to keep our back-end storage account's firewall enabled during deployment and only accept intranet calls), we should explore the option of deploying the Standard Logic App using ARM template. While we are designing the ARM template to serve this purpose, here are some essential aspects/practices to consider: (1) Find a starter template for deployment. There is a feature that allow us to download a sample template generated based on our selections to initialize the Logic App at Portal. We could download the template based on our initial selections and append new specification settings on top of which at where applicable. (2) When storage account is set to only allows intranet calls. It can only be reached via either: Service Endpoints or Private Endpoints. When we are composing the ARM template, we should consider in which way we wish our Logic App to link up to the storage account. For example, if we are selecting service endpoints. The request path between Logic App and Storage Account is: Logic App -> Vnet Integration Subnet -> Service Endpoints -> Storage Account. Henceforth, in our settings for the deployment, we should specify the relevant settings to enable Logic App in establishing connection via this request path. Specifically: Turn on service endpoints for the target Subnet that we will integrate the Logic App with at Storage Account side. Turn on VNET Integration at Logic App side. To enable VNET integration settings in the template, we could specify a child resource (for networkconfig) under the parent resource (created for Logic App, resource type: Microsoft.Web/sites). Sample Script: "resources": [ { "type": "networkconfig", "apiVersion": "2018-11-01", "name": "virtualNetwork", "location": "East Asia", "dependsOn": [ "<Logic App Name>" ], "properties": { "subnetResourceId": "<Subnet resource ID, for example: /subscriptions/<SubID>/resourceGroups/<RGname>/providers/Microsoft.Network/virtualNetworks/<VnetName>/subnets/subnetName>", "swiftSupported": true } } ] Set Application Settings to allow Logic App workflow data transmit over the virtual network. Application settings could be set in specification for Logic App resource, under "properties">"siteConfig">"appSettings" (3) In case of using service endpoints, here are the required app settings to configure: Frist Setting, File share name. According to testing result, the file share folder used by the Standard Logic App should be present at Storage Account side prior to deployment. Deploy via custom ARM template would not automatically create the folder at storage account side if the folder is not already there. { "name": "WEBSITE_CONTENTSHARE", "value": "<file share name>" } Second Setting, Content over Virtual Network Setting. It is required to enable logic app workflow data transmit over the virtual network. { "name": "WEBSITE_CONTENTOVERVNET", "value": "1" } Third Setting, Route all outbound traffic to virtual network Setting. It is required to enable logic app establish connection from virtual network first. Storage account inbound endpoint domain "https://<storageAccountName>.file.core.windows.net/" is still resolvable using public DNS(for service endpoints) and it is going to return a public IP, we wish to ensure Logic App uses service endpoints channel from virtual network as opposed to sending request from Default gateway and try to connect with Storage Account via public network. { "name": "WEBSITE_VNET_ROUTE_ALL", "value": "1" } Lastly, The DNS settings(When Custom DNS Servers are selected at Virtual Network side). Considering whether the virtual network is using Custom DNS or Azure DNS, we should specify the DNS settings at Logic App side to use the same DNS configuration as virtual network side. In case there are security rules present in the virtual network preventing Logic App from resolving relevant domain addresses successfully. { "name": "WEBSITE_DNS_SERVER", "value": "<Primary DNS Server Address>" }, { "name": "WEBSITE_DNS_ALT_SERVER", "value": "<Secondary DNS Server Address>", } (3) References: Deploying Standard Logic App to Storage Account behind Firewall using Service or Private Endpoints GitHub - VeeraMS/LogicApp-deployment-with-Secure-Storage: Deploying Logic App standard resource with Storage account having Private endpoints Logic Apps Anywhere: Networking Possibilities with Logic App Preview Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.