What are the ways to secure Azure functions

c# azure security azure-functions azure-security
Galet picture Galet · Oct 7, 2017 · Viewed 10.5k times · Source

I have written 5 Azure functions in Azure Portal using c#.

Below are the steps to install my application:-

  • Copy deployment scripts to the Edge node of the cluster
  • Deployment scripts to do the following
    • Call Azure functions to do get my application builds from WASB.
    • Install my application on Edge node
    • Call Azure functions to do some updation.

Above process will be executed on the Customer Edge node.

The authorization using “keys” described here is just to provide another layer of API key authorization and is not applicable when my script needs to be called by a public client (like edge node) since it is discover-able there.

What are the best ways to secure the Azure Functions in my scenario?

Answer

Noel picture Noel · Oct 7, 2017

By default azure functions are public . So you deploy them and the endpoint is available publicly via the address on the function. As you mentioned , you can set function level access, which means you need to pass an access key. So they are kind if protected.

There are some other options though:

You can build functions inside a vnet using the azure environment service. But for this you pay good money and you have to use the service plan version of azure functions.

I have combined API Management with functions. API Management is a way to expose your apis to consumers but maintain lots of control over the usage. The Api Management component does not prevent the public azure address being available but I have implemented pattern in code which checks for a special token which is appended to a http request as part of the app management pass-through. Or alternatively you can set IP restrictions on the Function app to allow traffic only from the API Management endpoint. (IP Address) So effectively you can only go to the function via the app management.

Just a note on the above, Azure portal has removed the ability to set IP restrictions via the standard functions network tab. So you need to go into the resource explorer and set the IP restrictions manually in the web config section.

Lastly , you could set up an oauth server and validate the token in the function or in an api management component or both.

Related questions

How to get connection string out of Azure KeyVault?

A hypothetical web-site currently connects using: public SqlConnection CreateConnection() { DbConnection connection = new SqlConnection(); connection.ConnectionString = GetConnectionString(); connection.Open(); return connection; } Where the magical connection string is stored in web.config: String GetConnectionString() { //Get the connection string info from web.config …

Read More
Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

I've copied my project to a clean Windows 10 machine with only Visual Studio 2015 Community and SQL Server 2016 Express installed. There are no other framework versions installed apart from those installed with Windows 10 and VS2015 or SQL Server. When I try …

Read More
Microsoft Azure: How to create sub directory in a blob container

How to create a sub directory in a blob container for example, in my blob container http://veda.blob.core.windows.net/document/ If I store some files it will be http://veda.blob.core.windows.net/document/1.txt http://…

Read More