We are using Azure Logic Apps with webhooks.
The webhooks are calling some APIs (service fabric backend - but this shoudn't matter) via Azure APIM. On completing the specific job, the APIs call the Logic App's webhook callback - just by the book.
On the other hand, there is an IP range limitation setup on LA's trigers. Everything was working fine until recently - for just some of our environments, sometimes the callback call from the APIs fail - apparently because the IP is not recognized by the Logic App.
First question: why (is) the restriction applied also for callbacks - those are not actual triggers?
Second question: how is it possible that the callbacks still work in some of our environments, having the same restrictions applied.
As for the IP Restrictions, the gateway through which all incoming requests are processed is the same for both the Request Connector and the HTTP WebHook Connector. While you may be using the action here, there is a WebHook Trigger that works in a similar fashion but as a trigger instead.
As for why you are getting failures at times would depend on how requests are being routed from your APIs to Logic Apps. One way to ensure access just from a single IP is to route these callbacks to APIM and let APIM forward the request to your Logic Apps. This way, all requests to your Logic Apps would be coming from APIM.
To route the callback requests through APIM, you will need a special API/Operation in APIM that will forward requests to the URL passed in the header or a query parameter.
So instead of directly calling the callback URL, you will call this APIM endpoint with the callback URL in a custom header or as a query parameter. The APIM policy for this operation will use the set-backend-service
and rewrite-uri
policies to forward this call to the logic apps endpoint.