I am designing an architecture to transfer security alerts from Microsoft Defender to an internal system.
Current situation:
Alerts originate from Microsoft Defender (Endpoint / Office 365).
Power Automate runs in Microsoft cloud (Azure).
Our internal infrastructure is reachable only through VPN and is not exposed to the internet.
We want to send alert data from Power Automate to an internal API that forwards the data to an internal tool.
Security requirements:
Prefer no public exposure of the internal network
Minimize inbound firewall rules
Use strong authentication between cloud and on-prem
Maintain reliability for alert delivery
Question:
What architecture would be considered best practice for securely delivering Power Automate events into a private on-premises network?
Is an Azure-hosted integration layer with VPN connectivity generally preferred?
Any guidance or reference architectures would be appreciated.