Reputation: 2250
Make Azure Functions not publicly accessible?
Currently my functions are accessible publicly. Is there a way to make it so that they can only be accessed via something else, like an API gateway, and not directly? I tried adding a VNET via the "networking" blade but I don't think that did anything (I could still call the functions publicly)...I think that just makes it so the functions could access resources on a private network. I didn't see any options in the settings to make the IP private. I'm not very well versed in networking related issues, so apologies if I'm being unclear.
Upvotes: 10
Views: 8598
Answers (4)
Reputation: 598
IP restrictions can be used to restrict access to whitelisted IPs. You can do it via the the Portal -
https://learn.microsoft.com/en-gb/azure/app-service/app-service-ip-restrictions
or in the web.config with ipSecurity
Upvotes: 0
Reputation: 18414
You can apply access restrictions to an Azure Function. The documentation can be found here.
You can use PowerShell AZ module to create a rule (or the portal if you prefer).
Add-AzWebAppAccessRestrictionRule `
-ResourceGroupName "ResourceGroup" `
-WebAppName "AppName" `
-Name "Ip example rule" `
-Priority 100 `
-Action Allow `
-IpAddress 122.133.144.0/24
Docs for Add-AzWebAppAccessRestrictionRule can be found here.
Upvotes: 1
Reputation: 1620
The built-in keys support is meant to provide an option for this. You can require all requests to include an API key which is only shared with resources you care about. In fact, all HTTP-triggered functions require a key by default. You would have to explicitly choose to remove this requirement.
Keys aren't a networking solution though, and if you leak the keys, someone could access your APIs (until you roll the keys). You are correct that the VNet support is point-to-site, meaning it can access resources, but the function app is not protected itself. An App Service Environment would solve that, although Kai's comment on the original question is correct - ASE is not yet available for Functions.
In addition to keys, you could look at using App Service Authentication / Authorization to require an AAD service principal. This is effectively like a key, but has additional benefits if you are modeling other entities in AAD. Unless you know you need this, though, I would stick with keys.
Upvotes: 11
Reputation: 2063
With CORS functionnality you can restrict access to your Azure Function. To configure this, check the following link : Azure Function Settings, at the CORS section.
Upvotes: 1
Related Questions
- How to configure Azure Function access restrictions to allow for testing via portal
- Azure Functions - some public and some protected?
- Securing Azure Function Endpoints used by Public Web App
- Restrict azure function to outgoing requests
- How to restrict/stop public (internet) access to Azure function?
- Calling private functions from public azure functions?
- How to add an Azure function accessible by everyone (even by non authenticated user) into an AAD secured Azure Function App
- Azure Functions without public endpoint
- Securing an Azure Function
- Keeping secrets in Azure Function Apps