Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access to Azure Logic Apps

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public network access to Microsoft Azure Logic Apps via public endpoints is disabled in order to enhance security by preventing unauthorized access.

Security

You can connect to your Azure Logic Apps either publicly through public service endpoints or privately using a private endpoint. When an Azure Logic App is open to public access, it can be reached by all hosts and networks, including the Internet. This raises the likelihood of unauthorized access, security breaches, and potential compliance violations. However, if public network access is disabled, the public endpoint for your Logic App will be disabled, allowing access only through private endpoint connections.

Audit

To determine whether public network access to your Azure Logic Apps is disabled, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Logic App (Standard) for Value, then choose Apply to list the Azure Logic Apps available in the selected subscription.

05 Click on the name (link) of the Azure Logic App that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected Azure Logic App.

07 In the Inbound traffic configuration section, check the Public network access configuration attribute to determine the level of access configured for the selected Logic App. If Public network access is set to Enabled with no access restrictions, the selected Azure Logic App can be accessed through public endpoints. As a result, all networks, including the Internet, will have access to your Logic App.

08 Repeat steps no. 5 – 7 for each Azure Logic App available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run logicapp list command (Windows/macOS/Linux) with custom output filters to list the name of each Azure Logic App available in the selected subscription: 

az logicapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Logic App names: 

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-logic-app     cloud-shell-storage-westeurope
cc-trendmicro-logic-app   cloud-shell-storage-westeurope

06 Run logicapp show command (Windows/macOS/Linux) with the name of the Azure Logic App that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Logic App is disabled 

az logicapp show
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--query '{publicNetworkAccess:publicNetworkAccess,ipSecurityRestrictionsDefaultAction:siteConfig.ipSecurityRestrictionsDefaultAction}'

07 The command output should return the status of the default network access rule configured for the selected resource (i.e., "ipSecurityRestrictionsDefaultAction" value) and the status of the "publicNetworkAccess" setting: 

{
	"ipSecurityRestrictionsDefaultAction": "Allow",
	"publicNetworkAccess": "Enabled"
}

If the logicapp show command output returns null or "Allow" for "ipSecurityRestrictionsDefaultAction" and "Enabled" for "publicNetworkAccess", as shown in the example above, all networks, including the Internet, can access your Logic App. As a result, the public network access to the selected Azure Logic App is not disabled.

08 Repeat steps no. 6 and 7 for each Azure Logic App available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to your Microsoft Azure Logic Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Logic App (Standard) for Value, then choose Apply to list the Azure Logic Apps available in the selected subscription.

05 Click on the name (link) of the Azure Logic App that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected Azure Logic App.

07 In the Inbound traffic configuration section, perform the following actions:

  1. Click on the Enabled with no access restrictions link next to Public network access and set Public network access to Disabled to disable public network access to the selected Azure Logic App.
  2. Choose Save to apply the configuration changes.
  3. On the Access update confirmation panel, select the By checking this box, you are agreeing to update the access restrictions checkbox and choose Continue to confirm the changes.
  4. (Optional) Once the new network configuration is applied, no public networks can access your Azure Logic App. To allow secure access via private endpoints, follow the steps outlined on this page.

08 Repeat steps no. 5 – 7 for each Azure Logic App that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run logicapp list command (Windows/macOS/Linux) with custom output filters to list the name of each Azure Logic App available in the selected subscription: 

az logicapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Logic App names: 

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-logic-app     cloud-shell-storage-westeurope
cc-trendmicro-logic-app   cloud-shell-storage-westeurope

06 Run logicapp update command (OSX/Linux/UNIX) to disable public network access to the specified Azure Logic App: 

az logicapp update
	--name cc-project5-logic-app
	--resource-group cloud-shell-storage-westeurope
	--set publicNetworkAccess="Disabled"
	--query '{publicNetworkAccess:publicNetworkAccess}'

07 The command output should return the new status of the "publicNetworkAccess" configuration setting: 

{
	"publicNetworkAccess": "Disabled"
}

08 (Optional) Once the new network configuration is applied, no public networks can access your Azure Logic App. To allow secure access via private endpoints, follow the steps outlined on this page.

09 Repeat steps no. 6 - 8 for each Azure Logic App that you want to configure, available within the selected subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 24, 2025

Related LogicApps rules