0

We have a logic app with a location of Northern Europe. The Logic app uses a "Create File SFTP" Action to create a file on an SFTP server in Europe.

The owner of the server has blocked our attempts to create a file, saying that one of hops is based in the US, and they don't accept data that has landed in the U.S.

I'm not debating their policy, the question is, if the logic app is based in North Europe (Irish data center), why would the sftp file create request be routing through U.S Servers?

I thought it was maybe that once the packet hits the internet, it can go anywhere, but the vendor says the request consistently has a hop from a U.S Ip address.

wilson_smyth
  • 1,202
  • 1
  • 14
  • 39
  • I don't believe you can tell if routed traffic has traveled through the U.S. conclusively. I'm guessing here, but it sounds like they are doing something like a trace route on the IP the logic app is coming from. There's a chance the trace route from their side is hitting a server in the United States. Any chance they can give you the IP in question, or they could explain how they determine if "data has landed in the U.S.?" I'm curious. – Narthring May 31 '23 at 15:40
  • Custom connectors may exist in each region but the underlying API's are often hosted elsewhere. Given it's a standard connector though, I'd expect it to operate solely from its own region but can't say for sure. If you want a conclusive answer, I'd raise a case with Microsoft. – Skin Jun 01 '23 at 02:42
  • @Narthring - thank you for your reply. the vendor is being very obscure, limited information, they cannot say how they are comming to that conclusion, only that their SFTP server (bitvise i think) is saying the IP or one of the IPs in the hop is based in the US. – wilson_smyth Jun 06 '23 at 14:26
  • @Skin - thank you. we have talked with Microsoft, but they tell us cannot tell us the route a packet takes, i.e. they cannot do a trace route within their own infrastructure. – wilson_smyth Jun 06 '23 at 14:27

1 Answers1

0

According to the documentation the SFTP-SSH is a managed connector and as such the outbound IP addresses should follow the list in the this document.

Your description is very strange and you should check with the owner of the SFTP server to re-check the procedure which led him to the conclusion that your logic apps uses an IP at US. It sound like an issue in his side in first glance, assuming your description is accurate.

If the Logic Apps located at North Europe, then the IP that your SFTP server should see is in the ranges:

52.178.150.68, 94.245.91.93, 20.82.226.52, 20.82.224.59, 13.69.227.208 - 13.69.227.223, 13.69.231.192 - 13.69.231.223, 40.115.108.29, 20.82.246.112 - 20.82.246.127, 52.146.138.32 - 52.146.138.63

There should be NO routing through U.S Servers from the Azure side (including the connector or the API of the Azure SFTP service.

Note! This is well documented

Ronen Ariely
  • 2,336
  • 12
  • 21
  • I gave you the same answer at the [Microsoft QnA forum](https://learn.microsoft.com/answers/questions/1295076/azure-logic-app-with-region-of-north-europe-routin?WT.mc_id=DP-MVP-5001699). Note that I (almost) do not follow stackoverflow at all. I only came here from Google when I searched the right documentation for you. I hope this cover the topic. – Ronen Ariely Jun 04 '23 at 23:25
  • @ronan Ariely - thank you. All i can think of is that once the packet leaves the North Europe based IP used by the logic app, it is now on the internet, and can technically be routed anywhere. The only way to guarantee a packet staying within Europe is leased line or having source and destination in Azure, or using a private link/endpoint, but as the destination SFTP is not in azure, this is also not going to mitigate the issue. – wilson_smyth Jun 06 '23 at 14:31