As a serverless compute service, Azure Functions enables you to run code on-demand without the need to explicitly manage or provision infrastructure.Azure functions offer a range of powerful security features that can be easily enabled. By default, Azure functions are isolated from the internet and other Azure resources owned by other customers.
Security aspects:
- Enforce HTTPS for all communications. If you have a custom domain, you can upload an SSL certificate. n upload an SSL certificate.
- Use Azure Function App settings (Settings – Environment variables – app settings) instead of you using config files.
- Ensure the security of your Azure function by leveraging the Authorization Level property (Function, Anonymous, Admin) to control access.
- Use Azure Key vault to store the function app secrets.
- Protect your Azure function endpoints by implementing IP restrictions.
- Use VNet Integration to restrict your function app from accessing or being accessed from the public internet.
- Manage incoming requests using Azure Front Door and Web Application Firewall
In this post, you will explore the importance of an Azure function VNet integration to secure the function, and I will provide a quick step-by-step guide to make a function secure following this approach.
Azure function app VNet Integration
To support Azure Function VNET integration, you need to have a Premium Azure function, an App Service Plan at least at the Basic tier, and in fact, an App Service Environment. Without VNET integration, an Azure function will have an exposed public IP address to the Internet.
The virtual network integration is used only for outbound calls between your app and your virtual network.
In networking, we have Inbound and Outbound traffic. Inbound traffic refers to traffic coming into the Azure function, i.e., anyone who is calling or initiating the faction application. You can restrict access to private endpoints or create rules to control inbound traffic
Inbound traffic configuration
The steps below show how to create a Private endpoint to secure inbound traffic to the Azure Function app.
Select + Add – Express
The “Add Private Endpoint” form opens, and now you need to type a Name for your Private Endpoint, select your VNet and a subnet that will be for the Az function app, leave “Integrate with private DNS Zone” as is and click OK.
This will create a secure connection from the VNet to the Azure Function App.
Following the creation of the Private Endpoint, the following resources will be spined.
Private endpoint
In the Private endpoint a DNS entry has been created, the grammatikos.privatelink.azurewebsites.net
Network interface
In the Network interface, you can see the Private IP address. Over this Private IP, the Azure Function App will communicate with the VNet.
Private DNS Zone
The required DNS entries for the Private Endpoint have been created.
Once we have secured the Inbound in the Azure function let’s do the same for the Outbound traffic.
Outbound traffic configuration
At the moment, the Outbound traffic is not configured. In the steps below, I will show you how to do this.
On the “Virtual network integration“, click “Not configured” to begin the configuration.
Select “Add virtual network integration”
Click to add the Virtual Network to which you want to restrict access, then select another subnet i.e. functionSubnet and click Connect.
As the image below depicts, the Virtual Network Integration is enabled for the outbound traffic to the “functionSubnet”.
In order to route all of your outgoing function app traffic over your virtual network, make sure outbound internet traffic is enabled.
Azure Storage Account Firewalls and virtual networks
Now, let us secure the Azure storage account.
To do so, go to Security + networking – Networking – Firewalls and virtual networks, and on the Public network access, choose “Enabled from selected virtual networks and IP addresses“. By doing this you will restrict access on the storage account to a specific VNet or IP addresses. Then click + Add existing vitual network
Select the VNet and the subnet(s) that you want to enable access
After saving the changes the storage account access is secured and only accessible from the VNet.
Useful Links
- Integrate your app with an Azure virtual network
- Enable virtual network integration in Azure App Service
- Manage Azure App Service virtual network integration routing
- How to use a secured storage account with Azure Functions
- Azure Functions networking options