On a client project with a particular focus on security, I faced the concept of “securing your Logic Apps with API Management.” While wrapping any services within API Management is often the right design choice for service distribution, management, and onboarding of services, it’s important to remember that a Logic App with HTTP trigger is still publicly available to anyone that holds the URL (with SAS Token). And you have limited governance with regards to who is calling your service.
For this scenario I wanted to make sure that only API management is authorized to call the Logic App endpoint.