Reputation: 2079
Which subresource to select when integrating virtual network to Azure Logic App?
I would like to deploy an Azure Logic App that is integrated to virtual network using Terraform. The resource group, the virtual network and the storage account are already created. In the main.tf file, I create the Workflow Standard App Service for the Logic App:
resource "azurerm_service_plan" "example" {
name = "example-service-plan"
resource_group_name = var.resource_group_name
location = var.location
os_type = "Windows"
sku_name = "WS1"
}
resource "azurerm_logic_app_standard" "example" {
name = "example-logic-app"
resource_group_name = var.resource_group_name
location = var.location
app_service_plan_id = azurerm_app_service_plan.example.id
storage_account_name = var.storage_account_name
storage_account_access_key = var.storage_account_access_key
public_network_access = "Disabled"
virtual_network_subnet_id = azurerm_subnet.example.id
}
It uses the already created storage account (also integrated to virtual network) and resource group. Next, I would like to integrate both the inbound and outbound traffic for the Logic App, which looks as follows:
# Inbound traffic
resource "azurerm_private_endpoint" "example" {
name = "example-endpoint"
resource_group_name = var.resource_group_name
location = var.location
subnet_id = var.logicapp_private_endpoint_subnet_id
private_service_connection {
name = "example-privateserviceconnection"
private_connection_resource_id = azurerm_logic_app_standard.example.id
subresource_names = ["<logicapp_subresource_name>"]
is_manual_connection = false
}
private_dns_zone_group {
name = "example-dns-zone-group"
private_dns_zone_ids = [var.logicapp_private_dns_zone_id]
}
}
# Outbound traffic
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = var.resource_group_name
virtual_network_name = var.virtual_network_name
address_prefixes = ["10.0.1.0/27"]
delegation {
name = "delegation"
service_delegation {
name = "<logicapp_service_delegation>"
actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
}
}
}
I have found the list of sub-resource names under the Private-link resource documentation. However, I can't figure out which subresource_names value to use for the private service connection.
Regarding the outbound traffic, the Secure traffic between Standard logic apps and Azure virtual networks using private endpoints documentation said that I must use /27 as the minimum subnet size, but I didn't find what is the necessary service delegation.
Upvotes: 0
Views: 43
Answers (1)
Reputation: 2401
> Subresource to select when integrating virtual network to Azure Logic App
When you're are trying to provision a standard logic app, then we need to specify the subresource type as "sites" and required delegation of type "Microsoft.Web/serverFarms" for the subnet.
To achieve the requirement depends on the setup you mentioned, make sure you followed the steps mentioned below.
Create Vnet & SNets as specified mentioned below
az network vnet create --name test-vnet --resource-group test-rg --location eastus2 --address-prefix 10.0.0.0/16
az network vnet subnet create --name logicapp-subnet --resource-group test-rg --vnet-name test-vnet --address-prefixes 10.0.1.0/27 --delegations Microsoft.Web/serverFarms
az network vnet subnet create --name private-endpoint-subnet --resource-group test-rg --vnet-name test-vnet --address-prefixes 10.0.2.0/27
Now create a Private DNS Zone for Logic Apps and link it up with vnet.
az network private-dns zone create --resource-group test-rg --name privatelink.logic.azure.com
az network private-dns link vnet create --resource-group test-rg --zone-name privatelink.logic.azure.com --name logicapp-dns-link --virtual-network test-vnet --registration-enabled false
Now configure the logic app if you requirement with subs resource type as sites since we are trying to provision a standard logic app.
Deployment:
data "azurerm_virtual_network" "example" {
name = var.virtual_network_name
resource_group_name = data.azurerm_resource_group.example.name
}
data "azurerm_subnet" "logicapp_subnet" {
name = var.logicapp_subnet_name
virtual_network_name = data.azurerm_virtual_network.example.name
resource_group_name = data.azurerm_resource_group.example.name
}
data "azurerm_subnet" "private_endpoint_subnet" {
name = var.private_endpoint_subnet_name
virtual_network_name = data.azurerm_virtual_network.example.name
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_service_plan" "example" {
name = "csasasc-service-plan"
resource_group_name = data.azurerm_resource_group.example.name
location = var.location
os_type = "Windows"
sku_name = "WS1"
}
resource "azurerm_logic_app_standard" "example" {
name = "easca-logic-app"
resource_group_name = data.azurerm_resource_group.example.name
location = var.location
app_service_plan_id = azurerm_service_plan.example.id
storage_account_name = var.storage_account_name
storage_account_access_key = var.storage_account_access_key
virtual_network_subnet_id = data.azurerm_subnet.logicapp_subnet.id
public_network_access = "Disabled"
}
resource "azurerm_private_endpoint" "logicapp_pe" {
name = "logicapp-private-endpoint"
resource_group_name = data.azurerm_resource_group.example.name
location = var.location
subnet_id = data.azurerm_subnet.private_endpoint_subnet.id
private_service_connection {
name = "logicapp-privateserviceconnection"
private_connection_resource_id = azurerm_logic_app_standard.example.id
subresource_names = ["sites"]
is_manual_connection = false
}
private_dns_zone_group {
name = "logicapp-dns-zone-group"
private_dns_zone_ids = [var.private_dns_zone_id]
}
}
Deployment:
This configuration supports fully supports both inbound and outbound VNet integration for Azure Logic App Standard by enabling a Private Endpoint by using subresource as “sites” here by achieving using VNet integration and Private Endpoints.
Refer:
What is a private endpoint? - Azure Private Link | Microsoft Learn
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
Upvotes: 0
Related Questions
- App Service to Storage Account Connection in Azure Virtual Network
- Set up Azure app service calling public access disabled function app that has private endpoint
- Integrating an Azure web app and Azure OpenAI with a virtual network
- Private endpoint in Azure
- Vnet Storage account container returns AuthorizationFailure
- Move Azure Virtual network to another resource group
- Azure Virtual Network Subnets Missing/Disappeared
- Azure Logic App Standard DNS names resolution
- Must Azure NSGs be in the same resource group as NICs which attach to the subnet protected by the NSG?
- Using Ansible how can I provision a network interface in Azure and associate it with a virtual network in another resource group?