Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the ways to secure Azure functions

Tags:

c#

security

azure

azure-functions

azure-security

I have written 5 Azure functions in Azure Portal using c#.

Below are the steps to install my application:-

  • Copy deployment scripts to the Edge node of the cluster
  • Deployment scripts to do the following
    • Call Azure functions to do get my application builds from WASB.
    • Install my application on Edge node
    • Call Azure functions to do some updation.

Above process will be executed on the Customer Edge node.

The authorization using “keys” described here is just to provide another layer of API key authorization and is not applicable when my script needs to be called by a public client (like edge node) since it is discover-able there.

What are the best ways to secure the Azure Functions in my scenario?

like image 559
Galet Avatar asked Oct 07 '17 07:10

Galet

2 Answers

By default azure functions are public . So you deploy them and the endpoint is available publicly via the address on the function. As you mentioned , you can set function level access, which means you need to pass an access key. So they are kind if protected.

There are some other options though:

You can build functions inside a vnet using the azure environment service. But for this you pay good money and you have to use the service plan version of azure functions.

I have combined API Management with functions. API Management is a way to expose your apis to consumers but maintain lots of control over the usage. The Api Management component does not prevent the public azure address being available but I have implemented pattern in code which checks for a special token which is appended to a http request as part of the app management pass-through. Or alternatively you can set IP restrictions on the Function app to allow traffic only from the API Management endpoint. (IP Address) So effectively you can only go to the function via the app management.

Just a note on the above, Azure portal has removed the ability to set IP restrictions via the standard functions network tab. So you need to go into the resource explorer and set the IP restrictions manually in the web config section.

Lastly , you could set up an oauth server and validate the token in the function or in an api management component or both.

like image 56
Noel Avatar answered Oct 12 '22 22:10

Noel

AZURE ASE (App Service Environment) is way too expensive for only 5 functions. You can secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function. You can find more details here: Whitelisting in Azure Functions

This is all in addition to having token based or AAD based authentication and authorization (like 'Noel' mentioned in the previous reply).

like image 43
MuazzamAli Avatar answered Oct 12 '22 22:10

MuazzamAli
Sign in to Comment

Related questions

How to pass parameter to constructor deserializing json
StackOverflowExceptions in nested async methods on unwinding of the stack
Multiple types in one dynamic assembly is way slower than multiple dynamic assemblies with one type each
Organizing Extension Methods [closed]
Setup targeting both x86 and x64?
Why doesn't Đ get flattened to D when Removing Accents/Diacritics
ASP.NET MVC: How to serve content while returning status code 404? [duplicate]
Why was IEquatable T not made contravariant in T for C# 4.0?
Async CTP and "finally"
Is it possible to remove an existing registration from Autofac container builder?
Entity Framework connection string not from config
what is the use of .CSProj and .Sln file? [closed]
How to play a WPF Sound File resource
Is there a way to find the first string that matches a DateTime format string?
Resharper 8 could not find implementations of interfaces
Could not load file or assembly 'Microsoft.Practices.Unity'
Using ASP.NET in GitHub Pages
Controlling DateTime parameter formatting in WebAPI 2
Post Stream in ASP.NET Core Web Api
Why should I inject IHttpContextAccessor as a Singleton

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!