Logic Apps connector outgoing ips incorrect

Question

Logic Apps connector outgoing ips incorrect

Michał Dębski 0

Hi, I am trying to restrict access to a key vault to only ip addresses used by a logic app (we are using terraform to automate this, but it's irrelevant). My logic app is in polandcentral and key vault in westeurope which I think might be causing problems. If I check properties of the logic app for ips this is what I see

User's image

but when executing actions to access key vault I get a forbidden error. I enabled diagnostics logs in the key vault to see the errors and the caller ip is different than the above (or the indicated runtime ips)
User's image

Is this a bug? Do you know how I can restrict access only to the logic app network?

1 answer

Your answer

Answer 1

Deepanshu katara 16,565 MVP Moderator

hello , welcome to MS Q&A

Yes, you can achieve this in Azure Key Vault. Simply go to the Networking section of your Key Vault and whitelist the public IP addresses of your Logic App by adding them. Follow the steps shown in the images below:

Navigate to your Key Vault in the Azure portal.
Select Networking from the menu.
Under Firewall and virtual networks, add the public IP addresses associated with your Logic App.
Save the changes to allow access from these specific IP addresses.

This will ensure that only requests from the whitelisted Logic App IP addresses can access your Key Vault.

Please check below Image and links -->https://learn.microsoft.com/en-us/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault

User's image

kindly accept answer if it helps

Please let us know if any further questions

Thanks

Deepanshu

Michał Dębski 0 Reputation points

2024-10-23T12:04:38.09+00:00

Yes, I have whitelisted those IPs, but as you can see it uses a different ip then the one in logic app properties: 20.215.144.X vs 20.215.155.0. Now, I don't know if this is the only ip address to whitelist or is it using a pool of addresses (like in the properties) and I should whitelist more.
Deepanshu katara 16,565 Reputation points MVP Moderator

2024-10-23T13:34:25.9133333+00:00

You need to whitelist the outbound Public IP of your logic apps
Deepanshu katara 16,565 Reputation points MVP Moderator

2024-10-23T13:34:45.59+00:00

Try doing for both
Michał Dębski 0 Reputation points

2024-10-23T13:37:36.2133333+00:00

I did, but logic app uses a different ip. And a side note, for accessing key vault I have always used connector outbound ip and when the logic app was deployed to westeurope it worked. It does not work in polandcentral though.
Deepanshu katara 16,565 Reputation points MVP Moderator

2024-10-23T15:16:20.95+00:00

These are the connector outbound IP address for logic app try to add these all if we are making outbound connection from logic app to key vault

Please check this doc for all location outbound IP address https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config?tabs=consumption#firewall-ip-configuration
Michał Dębski 0 Reputation points

2024-10-24T11:39:53.27+00:00

This is exactly the problem, I've added those ips, and a couple more (you missed ips for connector outbound traffic), but in reality logic app uses an ip not on this list: 20.215.155.0
Thomas Johnson 66 Reputation points

2025-03-20T20:24:47.4733333+00:00

The document sites are outdated. Including the properties page of the Logic apps themselves! Recently we had issue where our SFTP Connectors started to fail because Azure added IPs to the region. But when I looked the property, Connector outgoing IP Address, it wasn't updated. Nor were the "official" Azure connector sites mentioned above. We found a Json file you can download from a MS site that was recently updated, and it had the missing IPs. Once we used that list it worked.
https://www.microsoft.com/en-us/download/details.aspx?id=56519&lc=1033

Share via

Logic Apps connector outgoing ips incorrect

1 answer

Your answer