I have written 5 Azure functions in Azure Portal using c#.
Below are the steps to install my application:-
Above process will be executed on the Customer Edge node.
The authorization using “keys” described here is just to provide another layer of API key authorization and is not applicable when my script needs to be called by a public client (like edge node) since it is discover-able there.
What are the best ways to secure the Azure Functions in my scenario?
By default azure functions are public . So you deploy them and the endpoint is available publicly via the address on the function. As you mentioned , you can set function level access, which means you need to pass an access key. So they are kind if protected.
There are some other options though:
You can build functions inside a vnet using the azure environment service. But for this you pay good money and you have to use the service plan version of azure functions.
I have combined API Management with functions. API Management is a way to expose your apis to consumers but maintain lots of control over the usage. The Api Management component does not prevent the public azure address being available but I have implemented pattern in code which checks for a special token which is appended to a http request as part of the app management pass-through. Or alternatively you can set IP restrictions on the Function app to allow traffic only from the API Management endpoint. (IP Address) So effectively you can only go to the function via the app management.
Just a note on the above, Azure portal has removed the ability to set IP restrictions via the standard functions network tab. So you need to go into the resource explorer and set the IP restrictions manually in the web config section.
Lastly , you could set up an oauth server and validate the token in the function or in an api management component or both.
AZURE ASE (App Service Environment) is way too expensive for only 5 functions. You can secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function. You can find more details here: Whitelisting in Azure Functions
This is all in addition to having token based or AAD based authentication and authorization (like 'Noel' mentioned in the previous reply).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With