Share via

How to monitor for requests blocked by network access restriction (on function app)

Smock 0 Reputation points
2024-07-26T01:27:43.0033333+00:00

We have a third party integration that sends us webhooks which we use a function app to handle.
The third party does not sign their requests and will not pass access keys (or anything similar) in their query string or headers.

Given this, to prevent others from being able to maliciously trigger these webhooks, we have implemented network access restrictions to limit requests to a handful of ip addresses.

However, we would like to be able to monitor for when these access restrictions block requests as we are not entirely sure the set of ip addresses used by this third party will never change (and they are unlikely to proactively tell us if they do).

Is there anywhere we could query or monitor to alert if one of these network access restrictions denies a request to our function app? I have tried all the workspace tables I can think of but haven't had any luck.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,093 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 4,610 Reputation points Microsoft Employee
    2024-07-26T10:50:32.4433333+00:00

    Hello @Smock

    To monitor for requests blocked by network access restriction on your function app, you can use the diagnostic logs feature in Azure Functions.

    First, you need to enable diagnostic logs for your function app. You can do this by going to your function app in the Azure portal, selecting "Diagnostic settings" under the Monitoring section, and then adding a new diagnostic setting.

    In the diagnostic setting, you can select the "AppServiceHTTPLogs" category and choose to send the logs to a storage account or an event hub.

    Once you have enabled diagnostic logs, you can query the logs to see if any requests have been blocked by the network access restrictions.

    You can use Kusto Query Language (KQL) to query the logs. Here is an example query that you can use to find blocked requests: 

    AzureDiagnostics | where Category == "AppServiceHTTPLogs" | where OperationName == "Microsoft.Web/sites/restrictions" | where ResultDescription == "Access Denied"

    This query filters the logs to show only the entries related to network access restrictions and then filters further to show only the entries where access was denied.

    You can modify the query to filter by specific IP addresses or time ranges as needed. You can also set up alerts based on this query to receive notifications when a request is blocked by the network access restrictions. To do this, you can go to the "Alerts" section in the Azure portal and create a new alert rule based on the query results.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.