I am having a azure logic app which is having a HTTP Request trigger. I am executing the logic app via a web application using Logic App URL.
I have noticed that the Logic App URL is accessible from anywhere. Therefore anyone has the URLcan call the logic app.
I want to know how to secure access to trigger a azure logic app
In Azure logic app, the URL generated for When a HTTP request is received has a shared access signature, it has been certified and protected, and this process is done automatically by the Azure logic app.
https://prod-07.westus.logic.azure.com:433/workflows/{logic-app-resource-ID}/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig={shared-access-signature}
For more details, please refer to What about URL security?
Related
I have an Azure App Service that uses HttpClient to call a Logic App with an HTTP trigger. The App Service has a system-assigned Managed Identity. I want to restrict access to the Logic App to only this Managed Identity so that only the App Service can call the Logic App. Is that possible?
Using Authorization parameter, you can restrict access to logic app with managed identity.
Have an azure webapp which is used to call logic app with Http client.
I have created logic app by taking HTTP tigger as shown below ,
In HTTP trigger, added Authorization parameter as shown below,
Selected authentication type as Managed Identity,
You can also restrict accessing logic app by adding app service IP range in logic app workflow settings
Logic app>>Workflow Settings
In this way, logic app can be accessible only from configured Ip addresses.
Reference link
I have an API that runs on an Azure app service which is exposed through Azure API Management. Is there a way to tell if any requests are hitting the app service URL directly without going through the API Management service?
In my opinion, apim can't record those requests which hitting the app service url directly because these requests have no relationship with apim. If you want to record these requests, you need to modify the api in your code.
For example, you can add a parameter with a specific value in api management and when your code recieve this parameter, you can check the value to know if it comes from apim.
I assume that you want to prevent calling the app service url directly. So I suggest you adding White list on your server so that only apim request can visit your server.
For adding access restriction, if you're using azure app service, you can learn about this ms document.
I believe if you were to enabled Application Insights on both the API Management and APP Service you can view the requests on Application Insights for the APP Service to tell which ones were direct calls and which ones came from API Management.
I have a website on the namecheap server and an application on microsft azure deploy on Azure App Service I would like to send post requests from my namecheap server to azure which contains the application my questionis this possible and also isn't there a security risk?
thank you for your help
Web programs are accessed through HTTP Requests. The security risk you mentioned does not exist.
In webapp, the security of web application data is what we need to care about.
After passing the authentication, the data can be curd according to the authority to ensure the security of the program.
It is recommended that you deploy the azure webapp program to increase the authentication function, such as jwt token.
I've created a web application API with a swagger interface that I've deployed as an API App to Azure.
When creating a Logic App I can find my API App but whenever I try to use it I get the following error:
Failed to fetch swagger. Ensure you have CORS enabled on the endpoint
and are calling an HTTPS endpoint.
I'm using the default https url for the API definition in the API App:
https://microsoft-SOME-LONG-MS-INTERNAL-ID.azurewebsites.net/swagger/docs/v1
The swagger docs have been provided in my C# web API application through Swashbuckle.
For CORS I've set a single * item.
This didn't seem sufficient for the Logic App to access the API App I then configured Authentication / Authorization for the API App to use Azure Active Directory (express), creating an AD Azure App.
I believe the issue will be one of configuring security which is all pretty new to me in Azure. I'd like to make the API App inaccessible externally, but available to Web Apps and Logic Apps within my Azure subscription.
I've not added any authentication mechanism to the ASP.NET web application itself as I figured the web application would effectively be sitting in a private network on Azure. Perhaps this is a bad assumption and I need to add authentication to allow Azure AD to work?
Any pointers / suggestions?
Turns out I needed to update the Azure SDK for Visual Studio. I had an older version that was deploying a preview Api App which resulted in a "Api app host" type being deployed rather that an "API app" type.
Everything works after the update and I've found some documentation for securing the API App and making it available in the Logic App - https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-custom-hosted-api/
I have an Azure solution containing an MVC application, hosting some Web API controllers that constitute a RESTful API, and a back end WCF service. The MVC app is on a Web Role with a public http endpoint. The WCF application is on another Web Role, with no public endpoints. The MVC app communicates with the WCF service using a ChannelFactory over a discovered internal http endpoint.
I would like to keep this configuration, but I need a component within the WCF service implementation to be able to call a method on the RESTful API, using HttpClient.
My question is: with only an internal endpoint, does my back end web role have the connectivity to allow HttpClient to work like this?
At first glance I would not expect it to, but I note that it does have the capability to use the Azure Storage Client library to obtain resources from Azure Blob and Table storage, and I believe these calls are executed using http to an external URL (unless Azure does something clever to enable these calls under the hood).
Internal endpoints are for inbound traffic. Your WCF service, in turn, can absolutely make outbound calls. As you've already noticed, you're using the storage client library, and storage is a separate endpoint (RESTful, in fact), not a part of your deployed cloud service.