IT Philosophy

Configure Logic Apps (Standard) with VNet and Private Endpoint

in ,

If you’re using Azure Logic Apps to automate your workflows, you might want to secure your communications by running them inside a virtual network (VNet). A VNet provides a private and isolated environment where your Logic Apps can connect to your on-premises resources or other resources running in Azure, such as VMs or databases.

In this post, I’d like to share a solution we found when working with a VNet alongside a Logic App and Azure Storage using Private Endpoints. While the issue might seem common and simple, we found the information online not to be very clear. Therefore, I hope to shed some light on the solution in this article.

For the main part you can follow the Microsoft guide here: Deploy Standard logic apps to private storage accounts – Azure Logic Apps | Microsoft Learn.

Connect to storage behind Private Endpoints

Assuming you have a Logic App and want to use private storage it’s important to notice that you will need VNet integration for that. It’s a common misunderstanding that configuring a Private Endpoint for your Azure Resource makes it a part of your VNet. This is not the case! Your resource can receive requests from the VNet, but that’s only one way. The same goes with a Logic App behind a Private Endpoint, it doesn’t allow the Logic App to communicate with the VNet, so to make private storage possible, you will need to enable VNet integration on outbound traffic on the Logic App.

So, make sure you enable VNet Integration on the Logic App.

Necessary Logic App Configuration settings

After enabling the VNet Integration there are still some properties that need to be set manually for the Logic App to work. Under the Configuration tab add the following properties.

...
{
  "name": "WEBSITE_CONTENTOVERVNET",
  "value": "1",
  "slotSetting": false
},
{
  "name": "WEBSITE_DNS_SERVER",
  "value": "xx.xx.xx.xx",
  "slotSetting": false
},
{
  "name": "WEBSITE_DNS_ALT_SERVER",
  "value": "xx.xx.xx.xx",
  "slotSetting": false
},
...

Use your primary and secondary private DNS here if the infra is configured with a private DNS. If you haven’t explicitly configured a private DNS you may need to use Microsoft Azure’s magical virtual IP 168.63.129.16 as the primary and secondary DNS server. More about this address here: What is IP address 168.63.129.16? | Microsoft Learn.

NB: Always use the private DNS servers if those are available, because company’s often block Microsoft’s 168.63.129.16 IP.

That’s it

Enjoy your secured Logic App with private storage over Private Endpoints.

Common problems

Error: System.Private.CoreLib: Access to the path ‘C:\home\site\wwwroot\host.json’ is denied.

When this error occurs it means that your Logic App cannot connect to your storage account. Make sure that VNet Integration is enabled and the configuration settings are set correctly. Also double-check the DNS configuration, make sure you’re using the appropriate DNS servers for the VNet.

Error: Cannot reach host runtime. Error details, Code: ‘BadRequest’, Message: ‘Encountered an error (InternalServerError) from host runtime.’

The Logic App uses the File Share protocol of Azure Storage. So make sure the following things are in place:

  • Private Endpoint for the File subtype is enabled and working properly
  • The WEBSITE_CONTENTAZUREFILECONNECTIONSTRING property is configured properly
  • The file share configured in the WEBSITE_CONTENTSHARE property does exist and is available as a file share under the Storage Account (via Storage Browser).

This error can be caused by a wide variety of issues, one of them might be a wrongly configured workflow that is being deployed.

Comments

2 responses to “Configure Logic Apps (Standard) with VNet and Private Endpoint”

  1. Rob Avatar
    Rob

    Other things to note:
    – In your Storage Account, ensure the setting ” Enabled from selected virtual networks and IP addresses” is on and the subnet your App is integrated with is included in the list. Go to your App, look at the Private Endpoint, and check the subnet it’s integrated with.
    – Under Access Restriction under the App, turn off Public Access
    – In the Storage account, enable the relevant roles for your App if they need access to read/write. For example, Storage Blob Data Contributor and Storage Queue Data Contributor. This is especially important if your App needs to get triggered by a Blob. The ‘Queue’ role here is also needed for Blob triggers.
    – Enable Microsoft routing. Enable “Allow Azure services on the trusted services list to access this storage account”

    There’s other ways to further lock this down such as ‘Disable public access’ in the Storage Account and permit route-specific endpoints. I didn’t go that far.

    The storage account setting “Enabled from selected virtual networks and IP addresses” is somewhat misleading. I want my storage account secure and only allow access from VNet integrated Apps. The IP address firewall setting can include your local workstation IP and nobody else. The misleading part is ‘public’ = whole internet and in cases like this, you just want to limit access to select IP addresses that are in the public domain (you).

    Reply
  2. Pushpendra Avatar
    Pushpendra

    Hello JEFFREY,
    Followed all the above mentioned steps but still getting this error
    System.Private.CoreLib: The network path was not found. : ‘C:\home\data\Functions\secrets\Sentinels’

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *