AS2 Connection - Integration Account - By not exposing LogicAppUrl to external

Question

AS2 Connection - Integration Account - By not exposing LogicAppUrl to external

balaram nanduri 0

Hi everyone,

I'm currently working on setting up an AS2 connection between external clients and our Azure-hosted integration environment. We want to support both inbound and outbound AS2 messaging using certificate-based authentication, dynamic routing based on AS2 headers, and MDN handling (both synchronous and asynchronous). Since Logic Apps are involved in processing the messages, we are considering placing a secure proxy in front of the Logic App to avoid exposing its URL directly to external clients.

I’d like to ask how others are handling this in their organizations. Specifically:

If you're using AS2 with Azure, what kind of proxy or gateway are you using in front of Logic Apps for secure AS2 communication?

Are you using Azure API Management (APIM) or Azure Application Gateway, and what are the pros/cons you’ve encountered?

Does your setup support mutual TLS and proper certificate validation for AS2 partners?

What would be the recommended approach for my scenario — APIM or Gateway — considering the need for cert-based authentication, AS2 header inspection, MDN handling, and Integration Account support?

Any insights or experience you can share would be greatly appreciated!

Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-16T14:33:25.11+00:00

Hi @balaram nanduri,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-17T12:00:50.9066667+00:00

Hi @balaram nanduri,
If you had a chance to review my response to your question and found it helpful, please consider clicking "Upvote" on my post. Let us know if you need any further assistance.
balaram nanduri 0 Reputation points

2025-04-24T06:12:32.04+00:00

Hello @Ranashekar Guda

Thank you for your detailed response and for sharing those documents.

I reviewed Document1, which provides guidance on creating an Integration Account. In our case, we already have an Integration Account in place and are actively using it. Document2 covers setting up AS2 communication via Logic Apps, which is helpful. However, my specific requirement goes a bit further — we are looking to establish secure AS2 communication with external clients, both inbound and outbound, and want to use a proxy (like Azure API Management) to avoid directly exposing our Logic App endpoints to the external world.

Our goal is to implement a generic APIM proxy that can receive and send AS2 messages on behalf of multiple clients. The APIM should:

Support mutual TLS using certificates

Route messages dynamically based on AS2-From/AS2-To headers

Handle both synchronous and asynchronous MDNs

Interface securely with Azure Integration Account and Logic Apps

For authentication, we plan to share our public certificate with our partners and store their public certificates in our Integration Account. If there is any official Microsoft documentation on how APIM handles authentication and interacts with Integration Account for AS2 scenarios, that would be very helpful.

Additionally, I’m evaluating why Azure Application Gateway wouldn’t be suitable for this scenario. From my understanding, it does not support mutual TLS or header-based routing, which are essential for AS2. Could you confirm this or share comparison details if available?

For outbound messages, we aim to make the solution generic by maintaining a configuration in SQL (e.g., AS2From, AS2To, and endpoint URL), and letting the Logic App or Proxy API use those values dynamically. The solution must handle various message formats such as EDI, XML, etc.

Could you kindly point me to any official documentation or examples that demonstrate this type of end-to-end AS2 integration setup using APIM and Logic Apps? It would also be great to hear how other organizations are managing similar AS2 communication setups in production.

Thanks again for your support!
LeelaRajeshSayana-MSFT 17,676 Reputation points

2025-05-01T17:02:35.1033333+00:00

@balaram nanduri We still have not heard back from you. Just wanted to check if the additional feedback shared below was helpful? If you have any further query do let us know. Thank you

2 answers

Your answer

Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-16T14:33:25.11+00:00

Hi @balaram nanduri,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-17T12:00:50.9066667+00:00

Hi @balaram nanduri,
If you had a chance to review my response to your question and found it helpful, please consider clicking "Upvote" on my post. Let us know if you need any further assistance.
LeelaRajeshSayana-MSFT 17,676 Reputation points

2025-05-01T17:02:35.1033333+00:00

@balaram nanduri We still have not heard back from you. Just wanted to check if the additional feedback shared below was helpful? If you have any further query do let us know. Thank you

Answer 1

Ranashekar Guda 1,275 Microsoft External Staff

Hello @balaram nanduri,

To securely connect external AS2 partners with your Azure Integration Account and Logic Apps, using Azure API Management (APIM) is highly recommended. APIM acts as a secure gateway, preventing direct exposure of your Logic App URLs. It allows you to enforce mutual TLS for certificate-based authentication, crucial for AS2. Its policy engine enables dynamic routing based on AS2 headers, directing messages to the correct Logic Apps.

Additionally, APIM effectively handles both synchronous and asynchronous MDN responses, ensuring reliable message delivery. By implementing APIM, you gain centralized control over security, routing, and monitoring, making it the ideal solution for complex AS2 integrations while maintaining strong security posture.

For further clarification, please refer to the following documentations: Document1, Document2

I hope this helps resolve your issue. Feel free to reach out if you have further concerns.

Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-18T13:28:54.81+00:00

Hi @balaram nanduri,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
balaram nanduri 0 Reputation points

2025-04-21T07:51:40.9566667+00:00

Hello @Ranashekar Guda

Thank you for your detailed response and for sharing those documents.

I reviewed Document1, which provides guidance on creating an Integration Account. In our case, we already have an Integration Account in place and are actively using it. Document2 covers setting up AS2 communication via Logic Apps, which is helpful. However, my specific requirement goes a bit further — we are looking to establish secure AS2 communication with external clients, both inbound and outbound, and want to use a proxy (like Azure API Management) to avoid directly exposing our Logic App endpoints to the external world.

Our goal is to implement a generic APIM proxy that can receive and send AS2 messages on behalf of multiple clients. The APIM should:

Support mutual TLS using certificates

Route messages dynamically based on AS2-From/AS2-To headers

Handle both synchronous and asynchronous MDNs

Interface securely with Azure Integration Account and Logic Apps

For authentication, we plan to share our public certificate with our partners and store their public certificates in our Integration Account. If there is any official Microsoft documentation on how APIM handles authentication and interacts with Integration Account for AS2 scenarios, that would be very helpful.

Additionally, I’m evaluating why Azure Application Gateway wouldn’t be suitable for this scenario. From my understanding, it does not support mutual TLS or header-based routing, which are essential for AS2. Could you confirm this or share comparison details if available?

For outbound messages, we aim to make the solution generic by maintaining a configuration in SQL (e.g., AS2From, AS2To, and endpoint URL), and letting the Logic App or Proxy API use those values dynamically. The solution must handle various message formats such as EDI, XML, etc.

Could you kindly point me to any official documentation or examples that demonstrate this type of end-to-end AS2 integration setup using APIM and Logic Apps? It would also be great to hear how other organizations are managing similar AS2 communication setups in production.

Thanks again for your support!

Answer 2

@balaram nanduri Thank you for sharing the additional information on your use case and providing pointers on what you are trying to achieve. I could not find an end-to-end flow covering your use case. Here are couple of articles that will guide you on what you are planning to achieve

The two articles explain how certificates can be incorporated into APIM and how to use APIM to forward calls it receives and invoke Logic App flows without exposing the Logic App URLs directly to end customers.

Hope this helps. Please let us know if you still need any assistance or further clarification.

Share via

AS2 Connection - Integration Account - By not exposing LogicAppUrl to external

2 answers

Your answer