Securing Azure Functions using an Azure Virtual Network

In this post, an Azure Function is deployed in a Azure Virtual Network and the access to the Azure Function is restricted so that it cannot be reach from the Internet. Only Applications deployed in the same VNET can access the Azure Functions.

Code: https://github.com/damienbod/AzureFunctionsSecurity

Blogs in the series

Target Setup

The Virtual network will be setup so that the Azure Functions cannot be used directly from the Internet. The Azure Functions can only be accessed from applications inside the same VNET. An Azure App Service was added to this VNET and can access the Functions. This Web application can be used from the Internet.

Setting up the Applications

Two applications were created to demonstrate the restricted access. An ASP.NET Core Web application was created which will access the API implemented using an Azure Function.

When the applications are deployed to Azure, the API can be accessed in the browser.

The web application also works. This application calls the API in the Index page.

The API is called using an HttpClient.

private readonly ILogger<IndexModel> _logger;
private readonly IHttpClientFactory _clientFactory;
private readonly IConfiguration _configuration;

[BindProperty]
public string RandomString {get;set;}

public IndexModel(IHttpClientFactory clientFactory, 
	IConfiguration configuration, 
	ILogger<IndexModel> logger)
{
	_logger = logger;
	_clientFactory = clientFactory;
	_configuration = configuration;
}

public async Task OnGetAsync()
{
	var client = _clientFactory.CreateClient();
	RandomString = await 
		client.GetStringAsync(_configuration["FunctionsApiUrl"]);
}

All is working and everything is unprotected.

Create an Azure VNET

A simple VNET can be created in the portal. Search for Virtual network and created a new one.

The VNET was created with all the default settings. We don’t require any of the extra VNET features to prevent access from the Internet to the Azure Function.

Add the application to an Azure VNET

The two Azure App Service applications can now be added to the Azure Virtual Network. Click the Networking blade of the Azure Function and then the Click here to configure link.

Select the VNET which was created.

Once configured, you can see that the application is added to the Azure Virtual Network. Do the same for the second Azure App Service and add this to the same VNET.

Restricted access to the Functions.

Now the access to the Azure Functions can be restricted. In the Networking blade of the Azure Functions, click the Configure Access Restrictions link. This is a bit strange at first, but to restrict the access to only the Azure App Service Web Application in the same Azure Virtual network, you only need to allow access to all within the VNET. By default, all is allowed. When you add an access restriction, then a “deny all” will get added with a lower priority. Add an Allow access rule for the VNET.

When created, you will see two access rules. The Allow access and the Deny All.

If you try to access the Functions from the browser, a 403 – Forbidden will be returned. If you start the web application, all works and the data from the function is returned in the Index page.

Note

The network security is working. This alone is not enough as the application and the function are unprotected. The API should be protected as well. If something is incorrectly setup in the network or re-configured, the application is not protected, so always protect both the application and the network if possible.

Links:

https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts

https://docs.microsoft.com/en-us/azure/virtual-network/

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources

https://docs.microsoft.com/en-us/azure/virtual-network/quickstart-create-nat-gateway-portal

http://www.subnet-calculator.com/

2 comments

  1. […] Securing Azure Functions using an Azure Virtual Network (Damien Bowden) […]

  2. […] Securing Azure Functions using an Azure Virtual Network – Damien Bowden […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: