Add info about service tags

ecfan · ecfan · commit 13122ae038a7 · 2020-03-09T15:58:29.000-07:00
diff --git a/articles/logic-apps/connect-virtual-network-vnet-isolated-environment.md b/articles/logic-apps/connect-virtual-network-vnet-isolated-environment.md
@@ -5,7 +5,7 @@ services: logic-apps
 ms.suite: integration
 ms.reviewer: klam, logicappspm
 ms.topic: conceptual
-ms.date: 03/11/2020
+ms.date: 03/12/2020
 ---
 
 # Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE)
@@ -94,7 +94,7 @@ To make sure that your ISE is accessible and that the logic apps in that ISE can
 
 ### Network ports used by your ISE
 
-This table describes the ports in your Azure virtual network that your ISE uses and where those ports get used. The [Resource Manager service tags](../virtual-network/security-overview.md#service-tags) represents a group of IP address prefixes that help minimize complexity when creating security rules.
+This table describes the ports in your Azure virtual network that your ISE uses and where those ports get used. The [Resource Manager service tags](../virtual-network/security-overview.md#service-tags) represent groups of IP address prefixes that help minimize complexity when creating security rules.
 
 > [!IMPORTANT]
 > Source ports are ephemeral, so make sure that you set them to `*` for all rules. Where noted, internal ISE and external ISE refer to the 
@@ -104,11 +104,11 @@ This table describes the ports in your Azure virtual network that your ISE uses
 | Purpose | Direction | Destination ports | Source service tag | Destination service tag | Notes |
 |---------|-----------|-------------------|--------------------|-------------------------|-------|
 | Intersubnet communication within your virtual network | Inbound & Outbound | * | The address space for the virtual network that has your ISE's subnets | The address space for the virtual network that has your ISE's subnets | Required for traffic to flow *between* the subnets in your virtual network. <p><p>**Important**: For traffic to flow between the *components* in each subnet, make sure that you open all the ports within each subnet. |
-| Communication to your logic app | Inbound | 443 | Internal ISE: <br>VirtualNetwork <p><p>External ISE: <br>Internet | VirtualNetwork | The source IP address for the computer or service that calls any request triggers or webhooks in your logic app. <p><p>**Important**: Closing or blocking this port prevents HTTP calls to logic apps that have request triggers. |
-| Logic app run history | Inbound | 443 | Internal ISE: <br>VirtualNetwork <p><p>External ISE: <br>Internet | VirtualNetwork | The source IP address for the computer or service from where you want to view your logic app's run history. <p><p>**Important**: Although closing or blocking this port doesn't prevent you from viewing the run history, you can't view the inputs and outputs for each step in that run history. |
-| Logic Apps Designer - dynamic properties | Inbound | 454 | See **Notes** column for IP addresses to allow | VirtualNetwork | Requests come from the Logic Apps access endpoint [inbound](../logic-apps/logic-apps-limits-and-config.md#inbound) IP addresses for that region. |
+| Communication to your logic app | Inbound | 443 | Internal ISE: <br>VirtualNetwork <p><p>External ISE: <br>Internet <br>(see **Notes** column) | VirtualNetwork | Rather than use the **Internet** service tag, you can select the IP address option so that you can specify the source IP address for the computer or service that calls any request triggers or webhooks in your logic app. <p><p>**Important**: Closing or blocking this port prevents HTTP calls to logic apps that have request triggers. |
+| Logic app run history | Inbound | 443 | Internal ISE: <br>VirtualNetwork <p><p>External ISE: <br>Internet <br>(see **Notes** column) | VirtualNetwork | Rather than the **Internet** service tag, you can select the IP address option so you that can specify the source IP address for the computer or service from where you want to view your logic app's run history. <p><p>**Important**: Although closing or blocking this port doesn't prevent you from viewing the run history, you can't view the inputs and outputs for each step in that run history. |
+| Logic Apps Designer - dynamic properties | Inbound | 454 | LogicAppsManagement | VirtualNetwork | Requests come from the Logic Apps access endpoint [inbound](../logic-apps/logic-apps-limits-and-config.md#inbound) IP addresses for that region. |
 | Connector deployment | Inbound | 454 | AzureConnectors | VirtualNetwork | Required for deploying and updating connectors. Closing or blocking this port causes ISE deployments to fail and prevents connector updates or fixes. |
-| Network health check | Inbound | 454 | See **Notes** column for IP addresses to allow | VirtualNetwork | Requests come from the Logic Apps access endpoint for both [inbound](../logic-apps/logic-apps-limits-and-config.md#inbound) and [outbound](../logic-apps/logic-apps-limits-and-config.md#outbound) IP addresses for that region. |
+| Network health check | Inbound | 454 | LogicApps | VirtualNetwork | Requests come from the Logic Apps access endpoint for both [inbound](../logic-apps/logic-apps-limits-and-config.md#inbound) and [outbound](../logic-apps/logic-apps-limits-and-config.md#outbound) IP addresses for that region. |
 | App Service Management dependency | Inbound | 454, 455 | AppServiceManagement | VirtualNetwork | |
 | Communication from Azure Traffic Manager | Inbound | Internal ISE: 454 <p><p>External ISE: 443 | AzureTrafficManager | VirtualNetwork | |
 | API Management - management endpoint | Inbound | 3443 | APIManagement | VirtualNetwork | |
diff --git a/articles/logic-apps/logic-apps-limits-and-config.md b/articles/logic-apps/logic-apps-limits-and-config.md
@@ -5,7 +5,7 @@ services: logic-apps
 ms.suite: integration
 ms.reviewer: klam, logicappspm
 ms.topic: article
-ms.date: 03/11/2020
+ms.date: 03/12/2020
 ---
 
 # Limits and configuration information for Azure Logic Apps
@@ -288,17 +288,20 @@ take significant time to complete.
 
 <a name="configuration"></a>
 
-## Firewall configuration: IP addresses
+## Firewall configuration: IP addresses and service tags
 
-The IP addresses that Azure Logic Apps uses for incoming and outgoing calls depend on the region where your logic app exists. *All* logic apps that are in the same region use the same IP address ranges.
+The IP addresses that Azure Logic Apps uses for incoming and outgoing calls depend on the region where your logic app exists. *All* logic apps in the same region use the same IP address ranges. Some [Power Automate](https://docs.microsoft.com/power-automate/getting-started) calls, such as **HTTP** and **HTTP + OpenAPI** requests, go directly through the Azure Logic Apps service and come from the IP addresses that are listed here. For more information about IP addresses used by Power Automate, see [Limits and configuration in Power Automate](https://docs.microsoft.com/flow/limits-and-config#ip-address-configuration).
 
-> [!NOTE]
-> Some Power Automate calls, such as **HTTP** and **HTTP + OpenAPI** requests,
-> go directly through the Azure Logic Apps service and come from the IP addresses
-> that are listed here. For more information about IP addresses used by Power Automate, see
-> [Limits and configuration in Power Automate](https://docs.microsoft.com/flow/limits-and-config#ip-address-configuration).
+> [!TIP]
+> To help reduce complexity when you create security rules, you can optionally use 
+> [service tags](../virtual-network/security-overview.md#service-tags), rather than 
+> specify the Logic Apps IP addresses for each region, described later in this section. 
+> These tags work across the regions where the Logic Apps service is available:
+>
+> * **LogicAppsManagement**: Represents the inbound IP address prefixes for the Logic Apps service.
+> * **LogicApps**: Represents the outbound IP address prefixes for the Logic Apps service.
 
-* To support the calls that your logic apps directly make with [HTTP](../connectors/connectors-native-http.md), [HTTP + Swagger](../connectors/connectors-native-http-swagger.md), and other HTTP requests, set up your firewall with *all* the [inbound](#inbound) *and* [outbound](#outbound) IP addresses that are used by the Logic Apps service, based on the regions where your logic apps exist. These addresses appear under the **Inbound** and **Outbound** headings in this section, and are sorted by region.
+* To support the calls that your logic apps directly make with [HTTP](../connectors/connectors-native-http.md), [HTTP + Swagger](../connectors/connectors-native-http-swagger.md), and other HTTP requests, set up your firewall with all the [inbound](#inbound) *and* [outbound](#outbound) IP addresses that are used by the Logic Apps service, based on the regions where your logic apps exist. These addresses appear under the **Inbound** and **Outbound** headings in this section, and are sorted by region.
 
 * To support the calls that [Microsoft-managed connectors](../connectors/apis-list.md) make, set up your firewall with *all* the [outbound](#outbound) IP addresses used by these connectors, based on the regions where your logic apps exist. These addresses appear under the **Outbound** heading in this section, and are sorted by region.
 
@@ -310,15 +313,11 @@ The IP addresses that Azure Logic Apps uses for incoming and outgoing calls depe
 
 * For custom connectors, [Azure Government](../azure-government/documentation-government-overview.md), and [Azure China 21Vianet](https://docs.microsoft.com/azure/china/), fixed or reserved IP addresses aren't available.
 
-> [!IMPORTANT]
-> If you have firewall configurations that you set up before September 1, 2018,
-> make sure that they match the current IP addresses in these lists for the regions where your logic apps exist.
-
 <a name="inbound"></a>
 
 ### Inbound IP addresses
 
-This section lists the inbound IP addresses for the Logic Apps service only. For Azure Government, see [Azure Government - Inbound IP addresses](#azure-government-inbound).
+This section lists the inbound IP addresses for the Azure Logic Apps service only. To help reduce complexity when you create security rules, you can optionally use the [service tag](../virtual-network/security-overview.md#service-tags), **LogicAppsManagement**, rather than specify inbound Logic Apps IP address prefixes for each region. This tag works across the regions where the Logic Apps service is available. If you have Azure Government, see [Azure Government - Inbound IP addresses](#azure-government-inbound).
 
 <a name="multi-tenant-inbound"></a>
 
@@ -374,7 +373,7 @@ This section lists the inbound IP addresses for the Logic Apps service only. For
 
 ### Outbound IP addresses
 
-This section lists the outbound IP addresses for the Logic Apps service and managed connectors. For Azure Government, see [Azure Government - Outbound IP addresses](#azure-government-outbound).
+This section lists the outbound IP addresses for the Azure Logic Apps service and managed connectors. To help reduce complexity when you create security rules, you can optionally use the [service tag](../virtual-network/security-overview.md#service-tags), **LogicApps**, rather than specify outbound Logic Apps IP address prefixes for each region. This tag works across the regions where the Logic Apps service is available. For managed connectors, use the IP addresses. If you have Azure Government, see [Azure Government - Outbound IP addresses](#azure-government-outbound).
 
 <a name="multi-tenant-outbound"></a>
 
