/
How to secure Azure Functions ?

How to secure Azure Functions ?

Owned by thierry sinassamy
Last updated: Sept 28, 2023
3 min read

  1. Networking options - Azure Functions networking options | Microsoft Learn

    1. Inbound IP restrictions : use access restrictions to define a priority-ordered list of IP addresses that are allowed or denied access to your app. The list can include IPv4 and IPv6 addresses, or specific virtual network subnets using service endpoints. When there are one or more entries, an implicit "deny all" exists at the end of the list. IP restrictions work with all function-hosting options (Premium, Consumption & App Service).

    2. Inbound Private Endpoints : Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. Work only for Premium & App Service Hosting options.

    3. Virtual network integration : Virtual network integration allows your function app to access resources inside a virtual network. Azure Functions supports two kinds of virtual network integration

      1. The dedicated compute pricing tiers

      2. The App Service Environment, which deploys directly into your virtual network

    4. Virtual network triggers (non-HTTP) : We can use non-HTTP trigger functions from within a virtual network (in Premium & App service Plans) - connect non-HTTP trigger functions to services that run inside a virtual network.

    5. Hybrid connections (windows only - on-premises) : feature of Azure Relay that you can use to access application resources in other networks. It provides access from your app to an application endpoint. Is available to functions that run on Windows in all but the Consumption plan.

    6. Outbound IP restrictions : Outbound IP restrictions are available in a Premium plan, App Service plan, or App Service Environment. When you integrate a function app in a Premium plan or an App Service plan with a virtual network, the app can still make outbound calls to the internet by default. By integrating your function app with a virtual network with Route All enabled, you force all outbound traffic to be sent into your virtual network, where network security group rules can be used to restrict traffic (See NAT Gateway - Control Azure Functions outbound IP with an Azure virtual network NAT gateway | Microsoft Learn).

  2. Identity management

    1. Use managed identity (system-assigned is tied to your application or user-assigned identity is standalone Azure resource) : A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.

    2. Restrict the exposure of credential and secrets via use of Key Vault References : service that provides centralized secrets management, with full control over access policies and audit history. When an app setting or connection string is a key vault reference, your application code can use it like any other app setting or connection string.

  3. Data protection

    1. Encrypt sensitive data in transit - add TLS/SSL certificates in Azure App Service only.

    2. Use Microsoft Defender for Cloud monitoring : ensure to apply policies during definition of Azure Function (ex. require https, TLS version, etc.)

  4. Threat detection & logging

    1. Function apps running in a dedicated plan can also use Defender for Cloud's enhanced security features for an additional cost.

    2. Functions also integrates with Azure Monitor Logs to enable you to consolidate function app logs with system events for easier analysis. You can use diagnostic settings to configure streaming export of platform logs and metrics for your functions to the destination of your choice, such as a Logs Analytics workspace.