Automating IP Restriction Updates for Azure Logic Apps

Keeping Logic Apps secure and compliant with Microsoft’s evolving IP ranges can be a challenge. I've come up with a solution that uses Azure Functions to automatically update the allowed IP address lists for Azure Logic Apps, ensuring only trusted Azure services have access and can invoke Azure Logic Apps.

How it works

This solution leverages Azure Functions to automate the process of updating IP restrictions for Logic Apps. It uses Azure Resource Graph to discover Logic Apps tagged with update-allowed-ip-ranges=automatic, retrieves the latest service tag IP ranges, and updates the Logic Apps' access control configurations accordingly.

• Tag-driven automation: Logic Apps tagged with update-allowed-ip-ranges=automatic are automatically discovered using Azure Resource Graph.
• Daily updates: A scheduled Azure Function queries for these Logic Apps and places a message in an Azure Storage Queue for each one.
• Dynamic IP retrieval: A queue-triggered Azure Function fetches the latest service tag IP ranges (e.g., for Dynamics365) for the Logic App’s region using the Azure Network Management API.
• Access control update: The function updates each Logic App’s access control configuration, either merging or replacing the allowed IPs, based on a configurable setting.

Benefits

• Ensures Logic Apps always use the latest Microsoft IP ranges.
• Scales easily to many Logic Apps—just add the tag.
• Reduces manual maintenance and risk of outdated allowlists.

Getting Started

For more information on how to deploy the solution please refer to the GitHub repository. This repository contains detailed instructions on setting up the Azure Functions, configuring the Logic Apps, and managing the IP restrictions effectively.