How to Expose and Protect Logic App Using Azure API Management whitepaper

With the Azure API Management (Azure APIM), we can expose Logic Apps in a managed way, allowing us to take control through policies, add security, provide decoupling between frontend and backend, and much more.

The first thing you should be aware of is that out of the box, you can only expose an Azure Logic App that exposes an HTTP endpoint on your APIM and is inside your Azure Subscription. Also, the various options for Azure API Management Monitoring to ensure your resource is healthy and working as expected.

Once you expose Logic Apps through APIM, there are several options to protect the Logic Apps regarding authorized clients and IP address restrictions.

In this whitepaper, I try to explain the step-by-step process of exposing and protecting the Logic Apps with APIM.

What’s in store for you?

This whitepaper will give you a detailed understanding of the following:

• Expose and restrict access to the Logic App
  • Step-by-step process on how you can publish your Logic App in Azure API Management (APIM), or if you prefer, how you can protect your Logic App using APIM.
• How to limit incoming IP addresses for a specific Logic App
  • How will you be able to protect your Logic App from improper access, i.e., if we are exposing the Logic App through APIM, we may want to enforce that all the communication goes through APIM and restrict access to the Logic App, for example, avoiding direct calls to the Logic App (without passing through APIM).
• Exposing multiple Logic Apps in a single API
  • In this chapter, I will address the following questions:
    • If we have one or more Logic Apps that we want to expose on APIM as an API, do we need to have several APIs with one operation? Or can we combine them in a unique API?
    • What about implementing a proper REST naming convention on these APIs? Is it possible
• Delete a Logic Apps expose as an API or Operation
  • And finally, how can we delete a Logic App exposed as an API? You may be thinking that this is basic information and a straightforward task. Indeed, it is, and you are right that it is an effortless and straightforward operation, at least at first glance. But like most things, nothing is that simple if you look closer.
• Descriptions
  • How can you easily document your API operations without requiring the traditional Word/PDF documents that can quickly become deprecated and obsolete? We will address: The global API Description and the API Operation Description.
• Tags and Headers
  • How can you easily document your API operations without requiring the traditional Word/PDF documents that can quickly become deprecated and obsolete? We will address the use of Tags and Headers

Where can I download it?

You can download the whitepaper here:

I hope you enjoy reading this paper, and any comments or suggestions are welcome.

Hope you find this helpful! If you liked the content or found it useful and would like to support me in writing more, consider buying (or helping to buy) a Star Wars Lego set for my son. 

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community. View all posts by Sandro Pereira