Share via

Inter function app communication best practice

Christian Pedersen 0 Reputation points
2024-07-25T20:10:18.7233333+00:00

Hello,

I'm working on a project and trying to determine the best practices for inter-Function App communication.

My goal is to have one Function App that communicates with a backend database, while also having some tasks run asynchronously on other Function Apps. The structure is as follows:

  1. BackendAPI (HTTP interface, have access to the CosmosDB)
  2. BackendProcessor (Triggered by message queue, created by BackendAPI)

The BackendProcessor should be able to fetch additional information from the BackendAPI, which communicates with the database. I want to avoid putting full content in the message queue.

Additionally, certain endpoints of the BackendAPI will be exposed via Azure API Management.

My question is: What is the best practice for authentication between Function Apps? Specifically, how should I secure the BackendAPI so that it works with both API Management and the "processor" apps that need to communicate with it on the backend?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,958 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,674 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,626 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 3,265 Reputation points Microsoft Employee
    2024-07-26T11:07:13.5133333+00:00

    Hello @Christian Pedersen

    In terms of authentication and securing your BackendAPI, there are a few options you can consider. One option is to use Azure Active Directory (AAD) to authenticate and authorize access to your Function Apps. You can configure your BackendAPI to require authentication using AAD, and then configure your other Function Apps to use the same AAD tenant and authenticate with the appropriate credentials.

    This will ensure that only authorized users and applications can access your BackendAPI.

    Another option is to use shared access signatures (SAS) to authenticate and authorize access to your Function Apps. With SAS, you can generate a token that grants access to a specific resource for a specific period of time. You can configure your BackendAPI to require a SAS token for access, and then generate and provide the token to your other Function Apps as needed.

    In terms of securing your BackendAPI for use with both API Management and your processor apps, you can configure API Management to authenticate with AAD or SAS as well.

    This will allow API Management to act as a gateway for your BackendAPI, handling authentication and authorization for incoming requests.

    Your processor apps can then authenticate with the BackendAPI using the same AAD or SAS credentials as API Management.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.