Protect your nested/service flows with the Azure API Management Service


Using flows as a web service is very popular. To achieve this you just need to use the trigger When an HTTP request is received and when you save your flow a public ip/url is generated. Easy.


However :

  • the url might change
  • you might need to protect it : authentication, throttling, restricting the callers to some specific network locations, and so on.

So welcome to one of the my favorite Azure tool Azure tool :

Azure Api Management Services

In this post I will show you how to start, but of course it is up to you to read the documentation in order to do more. We will just scratch the surface here.

Let’s start with a very simple service flow that calculates the sum of 2 numbers :


(set the trigger method to POST)

In order to make sure this flow works as expected, test it in Postman:


Make sure content-type = application/json has been defined in the Header, click send and you should get some result:


Let’s go to your Azure Portal and find the (Azure) API Management service :


We will add a new service that will bind our api (the flow public url) to a specific api host (among others) :

click Add and fill in the following information (see picture below) : the name you provide will define the service url host, so in my case “Flowdemo” will generate the public url

Also select an existing resource group or create a new resource group, the name is not relevant here, I had an existing one called “flow” :


Click Create. The service creation can take up to 30 minutes !

When the service is created, click the service (here Flowdemo) and click the API menu to create a new API


Click on Add API and select Blank API :


Fill in the following fields (and paste your flow public url in the Web service URL field )


Click Create.

Select your API and click Add operation:


The display name can be Add2Numbers , select Post and add a ‘/‘ in the URL:


We now need to associate our api to an object called “product”; policies will be associated to this product. A product can host several apis if needed.

Go to Products:


Create a new Product called Calculator, uncheck Require subscription and select your Calculator Flow API :


Click Create.

Now let’s get back to postman, and instead of using your flow url you can type your new service url; in my case . External users should only know this url, not the flow generated url. You can protect this new flow url through Azure API Management that is basically my point.

Let’s go back to postman and replace the raw flow url with the new one : it should work:


Go back to the product definition and check Requires subscription:


Save and test the same call in Postman, you will be required to provide a subscription key :


To fix this you can create a subscription :


Then watch & copy the key into postman:

Actually you must create a new header entry named “Ocp-Apim-Subscription-Key” associated with your new subscription key value :


Send the request and it should work now.

There are so many ways to protect your API that I recommend you to spend more time in the policies :


Let’s say that you want to implement a policy that will only allow IP callers from an IP range :like from to

Click the policy Restrict caller IP :


Update the policy with the IP you want:


Save the policy; make sure your postman is in the correct range and you should get a Response. To find out your ip address you can go to

Change the policy to remove your postman IP address and you should get an 403 status code :


Let’s try to limit the number of calls per IP address : max 3 calls every 60 seconds


Test with Postman, after 4 calls you will get :


In summary : be very careful when you expose any api in general and in the specific case of Microsoft Flow when you use the When an HTTP request is received trigger. Don’t share the public url generated by flow, but share only the protected url generated and managed by Azure API Management. Also it is good to know that Flow/PowerApps connectors are running under the umbrella of the Azure API Management Service that is the reason why each connector provides throttling. Your custom connectors follow the same logic.

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully exercises oriented, 0 slide.

Check my web site :


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s