Microsoft Dynamics 365 for Finance and Operations offers a lot of flexibility and significantly reduced maintenance effort than the previous versions (AX). Along with being a cloud-hosted SaaS solution, we had to modify our approach to making modifications, interfacing with the system, licensing and more. One change which can be particularly challenging is that the IP address of F&O may change, and without notice.
Why does this matter? Let’s role play-
Mr. Dynamic IP Representative
F&O should not need to worry about getting a public IP reserved in Azure. “There might be many reasons for the IP addresses to change over time (environment redeployment, failover, rollbacks, upgrades, etc..) including architectural modifications in the Azure landscape” (link). If you go through the steps of migrating F&O to a different Azure Region all connections which specified the IP address instead of a URL would need to be updated.
Mrs. Static IP Representative
My dear F&O, you should have a static IP. It could give me increased security by enabling more specific firewall rules both in Azure and in my own data center. Office 365 admin center wants an IP address to enable email relay, so I need to maintain that unless I have a static IP. Perhaps Microsoft has purposely kept to a dynamic IP to encourage modern interface design? I understand that there are other ways to accomplish a similar thing, but if you already have an Azure Traffic Manager in front of F&O, why not assign it a static IP address?
But…the IP address of my FinOps hasn’t changed for a year!
Some of us have found that the public IP address for F&O does not change all that much. Although technically the IP address is dynamic and can change, DHCP servers grant leases for IP addresses. This is why you can reboot an Azure Virtual Machine and still keep the same IP address. However, whenever the host is not online there is a chance the IP lease expires. Once the lease expires, the system will be given the next IP available.
How to solve this challenge?
- Use On-Prem Data Gateway feature of Logic Apps or Azure API Management to marshal the data securely,
- Microsoft could assign a static IP address to their Azure Traffic Manager,
- Microsoft could send us a notification when the IP address changes,
- Use Azure Traffic Manager with a static IP and FQDN endpoint (?),
- A Logic App or third party service could monitor the DNS entry and notify when it changes, or
- We could make our own notification (and why not!)
Yep! In the next few posts we’ll create a solution to fill this gap.
POC Scenario
For illustration purposes let’s say there is an Azure-hosted virtual machine hosting an API with which F&O needs to communicate.
POC Solution
Before you see the ‘solution,’ it is for demonstration purposes to show the power of F&O Business Events and Logic Apps. I wouldn’t suggest this approach because…
- This approach goes against some best practices, however I also understand the importance of being pragmatic. Let me say that both Logic Apps and API Management have a Data Gateway which can expose those same services securely.
- Microsoft’s blog suggests a way to accomplish this same thing without modifying F&O, using only Logic Apps (Full Post).
- The code I’m about to write could fail because it depends on an external web site response.
Stay tuned- In the fourth post of this series, I will explain in more detail in how the interface situation could be redesigned in a more modern, reliable manner.
In the next few posts I will demonstrate creating a periodic process in F&O to raise an F&O business event if the IP address changes, so that an Azure Logic App can update a firewall rule on an Azure Virtual Machine’s Network Security Group (NSG).
please but when using an CUSTOM VNET , the client URL cannot be reached.
but can be reached form within the VM.
what really does LCS d365 FO need to be enabled in NSG to allow that. we have an issue with the public IP address as we don’t allow that as it is public