Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Private Endpoints for Azure Logic Apps

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that private endpoints are configured for Microsoft Azure Logic Apps in order to allow clients and services to securely access data located over a network via an encrypted Azure Private Link connection.

Security

Using private endpoints for Microsoft Azure Logic Apps enables secure data access over Azure Private Link. The private endpoint uses an IP address from the virtual network, ensuring traffic stays within the Microsoft Azure backbone network, avoiding public Internet exposure. This configuration blocks public endpoint connections, enhances virtual network security, and prevents data exfiltration. Additionally, it helps maintain compliance with regulatory requirements and organizational policies by enforcing strict network access controls and minimizing the surface area for potential security breaches.

Audit

To determine if network access to Azure Logic Apps is allowed via private endpoints only, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Logic App (Standard) for Value, then choose Apply to list the Azure Logic Apps available in the selected subscription.

05 Click on the name (link) of the Azure Logic App that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected Azure Logic App.

07 In the Inbound traffic configuration section, perform the following actions:

  1. Check the Public network access configuration attribute to determine the level of access configured for the selected Logic App. If Public network access is set to Disabled, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.
  2. Check the Private endpoints attribute value to identify any private endpoints configured for your Logic App. If Private endpoints is set to 0 private endpoints, there are no private endpoint connections attached, therefore, the selected Microsoft Azure Logic App is not configured to allow network access via private endpoints only.

08 Repeat steps no. 5 – 7 for each Azure Logic App available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run logicapp list command (Windows/macOS/Linux) with custom output filters to list the name of each Azure Logic App available in the selected subscription: 

az logicapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Logic App names: 

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-logic-app     cloud-shell-storage-westeurope
cc-trendmicro-logic-app   cloud-shell-storage-westeurope

06 Run logicapp show command (Windows/macOS/Linux) with the name of the Azure Logic App that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Logic App is disabled: 

az logicapp show
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--query '{publicNetworkAccess:publicNetworkAccess}'

07 TThe command output should return the status of the "publicNetworkAccess" setting configured for the selected resource: 

{
	"publicNetworkAccess": "Disabled"
}

If the command output returns "Disabled" for "publicNetworkAccess", as shown in the example above, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.

08 Run logicapp show command (Windows/macOS/Linux) to describe the private endpoint connections configured for the selected Azure Logic App: 

az logicapp show
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--query '{"privateEndpointConnections":privateEndpointConnections}'

09 The command output should return the information available for the configured private endpoints: 

{
	"privateEndpointConnections": null
}

If the logicapp show command output returns null for the "privateEndpointConnections" attribute value, there are no private endpoint connections associated with your resource, therefore, the selected Microsoft Azure Logic App is not configured to allow network access via private endpoints only.

10 Repeat steps no. 6 - 9 for each Azure Logic App available within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Logic App are accessed exclusively through private endpoint connections, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Logic App (Standard) for Value, then choose Apply to list the Azure Logic Apps available in the selected subscription.

05 Click on the name (link) of the Azure Logic App that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected Azure Logic App.

07 In the Inbound traffic configuration section, set Public network access to Disabled, and choose Save to apply the changes. Once the network configuration is updated, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Azure Logic App.

08 Back in the Inbound traffic configuration section, click on 0 private endpoints (link) next to Private endpoints.

09 On the Private Endpoint connections page, choose Add, select Advanced, and perform the following actions to create a new private endpoint:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the private endpoint instance in the Name box.
    4. For Region, select the Azure cloud region where the private endpoint instance will be deployed. Your private endpoint must be in the same region as your virtual network (VNet).
    5. Choose Next : Resource > to continue the setup process.
  2. For Resource, select sites from the Target sub-resource dropdown list. Choose Next : Virtual Network > to continue the setup.
  3. For Virtual Network, perform the following operations:
    1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
    2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
    3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
    4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
    5. (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping Azure resources and defining policies based on these groups.
    6. Choose Next : DNS > to continue.
  4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
  5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
  6. For Review + create, review the resource configuration details, then choose Create to create your new private endpoint and attach it to the selected Azure Logic App.

10 Repeat steps no. 5 – 9 for each Azure Logic App that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run logicapp list command (Windows/macOS/Linux) with custom output filters to list the name of each Azure Logic App available in the selected subscription: 

az logicapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Logic App names: 

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-logic-app     cloud-shell-storage-westeurope
cc-trendmicro-logic-app   cloud-shell-storage-westeurope

06 Run logicapp update command (OSX/Linux/UNIX) with the ID of the Azure Logic App that you want to configure as the identifier parameter, to disable network access to the selected Logic App. Once the network configuration changes are applied, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Azure Logic App: 

az logicapp update
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--set publicNetworkAccess="Disabled"
	--query '{publicNetworkAccess:publicNetworkAccess}'

07 The command output should return the "publicNetworkAccess" setting status for the selected Azure Logic App: 

{
	"publicNetworkAccess": "Disabled"
}

08 Run logicapp show command (Windows/macOS/Linux) to describe the resource ID for the selected Azure Logic App: 

az logicapp show
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--query 'id'

09 The command output should return the requested Logic App resource ID: 

"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-logic-app"

10 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Microsoft Azure Logic App. Use the --private-connection-resource-id command parameter to specify the Logic App resource ID returned in the previous step: 

az network private-endpoint create
	--name cc-private-endpoint
	--resource-group cloud-shell-storage-westeurope
	--vnet-name cc-project5-vnet
	--subnet cc-vnet-subnet-001
	--private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-logic-app"
	--connection-name cc-project5-logic-app-private-connection
	--group-id sites
	--location westeurope

11 The command output should return the configuration information for your new private endpoint: 

{
	"customDnsConfigs": [
		{
			"fqdn": "cc-project5-key-vault.vault.azure.net",
			"ipAddresses": [
				"10.0.0.8"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"vault"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint/privateLinkServiceConnections/cc-project5-logic-app-private-connection",
			"name": "cc-project5-logic-app-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-logic-app",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

12 Repeat steps no. 6 - 11 for each Azure Logic App that you want to configure, available within the selected subscription.

13 Repeat steps no. 3 – 12 for each Azure subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 24, 2025

Related LogicApps rules