How to Secure Connection String In Logic App Standard (Private Connection)

Context:

In this example we want to use Logic App Standard access to SQL Data base in Private Mode accessible ONLY in Private (Deny public network access).

In this scenario you need to use Logic App SQL Request Built-in to execute you query on you Logic App. If you use Azure SQL Request request is executed on Microsoft architecture outside you Logic App and you Network.

If you use Built-in SQL Request connector you are not able to use Managed Service Identity directly inside SQL connector.

This connector request a Connection String how is store inside Logic App Standard configuration. This is representing a security issue because this connection string is in clear text and can be read by any user who have a Read/Write Access on this Logic App (e.g : Logic App developers as RG Contributor or any person who need contributor access on Logic App).

In Configuration you are able to reveal all hidden value. When you create Connection String for you SQL Request component this Connection String will be store here.

Architecture Prerequisite:

I will not describe all step to create every simple component only Logic App and Key Vault configuration are interesting in this article.

• Create Virtual Network with 3 Subnet (1 for SQL DB Private Link, 1 for Logic App Integration Service, 1 for Key Vault Private Link)

• Create an Azure SQL Data base Single instance (Create Private Link, Denied Public Access, select Redirect in Connection Policy, Set "Allow Azure Services and resources to access this server" No)

• Create Logic App and create VNet Integration link to Subnet you create in your Vnet

• Check Managed Service Identity is enable on you Logic App

• Create a Key Vault (Could be also in private mode) and Add Access policy for your Logic App MSI (Secret : List/Get)
• Always apply least privilege your Logic app just need access to the key nothing more to List and Get is minimum actions that you Logic App need.
• Create a Workflow in your Logic App

• Design your Workflow with a Built-in SQL Request component and Create a Fake SQL Connection String (Real one will store in Key Vault)

Update Logic App Configuration:

Now We will update Logic App Configuration and use Key Vault. Go to your Logic App Configuration and looking for "sql_connectionString" parameter

by default connection string is visible if you have suffisant right on your logic app.

Go to you key Vault and create a new secret with your DB Connection String.

Go back to you Logic App and update "sql_connectionString" value with this value (Replace [VaultName] by your key vault name and [SecretName] by you Key Vault Secret name that contain you Connection String)

@Microsoft.KeyVault(VaultName=[VaultName];SecretName=[SecretName e.g: sqlconnectionString])        

When you save update and refresh configuration you paramaters "sql_connectionString" source should be now "Key vault Reference" with green check if connection is validate

Now you connection String is not accessible anymore from your Logic App and this value is securely store in your key vault accessible only in private End Point.

have fun ☺️