Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the ways to secure Azure functions

I have written 5 Azure functions in Azure Portal using c#.

Below are the steps to install my application:-

  • Copy deployment scripts to the Edge node of the cluster
  • Deployment scripts to do the following
    • Call Azure functions to do get my application builds from WASB.
    • Install my application on Edge node
    • Call Azure functions to do some updation.

Above process will be executed on the Customer Edge node.

The authorization using “keys” described here is just to provide another layer of API key authorization and is not applicable when my script needs to be called by a public client (like edge node) since it is discover-able there.

What are the best ways to secure the Azure Functions in my scenario?

like image 559
Galet Avatar asked Oct 07 '17 07:10

Galet


2 Answers

By default azure functions are public . So you deploy them and the endpoint is available publicly via the address on the function. As you mentioned , you can set function level access, which means you need to pass an access key. So they are kind if protected.

There are some other options though:

You can build functions inside a vnet using the azure environment service. But for this you pay good money and you have to use the service plan version of azure functions.

I have combined API Management with functions. API Management is a way to expose your apis to consumers but maintain lots of control over the usage. The Api Management component does not prevent the public azure address being available but I have implemented pattern in code which checks for a special token which is appended to a http request as part of the app management pass-through. Or alternatively you can set IP restrictions on the Function app to allow traffic only from the API Management endpoint. (IP Address) So effectively you can only go to the function via the app management.

Just a note on the above, Azure portal has removed the ability to set IP restrictions via the standard functions network tab. So you need to go into the resource explorer and set the IP restrictions manually in the web config section.

Lastly , you could set up an oauth server and validate the token in the function or in an api management component or both.

like image 56
Noel Avatar answered Oct 12 '22 22:10

Noel


AZURE ASE (App Service Environment) is way too expensive for only 5 functions. You can secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function. You can find more details here: Whitelisting in Azure Functions

This is all in addition to having token based or AAD based authentication and authorization (like 'Noel' mentioned in the previous reply).

like image 43
MuazzamAli Avatar answered Oct 12 '22 22:10

MuazzamAli