Securing Azure Function App

Volodymyr Litovka 121 Reputation points
2023-05-29T20:58:58.7733333+00:00

Hi,

I need to secure access to Azure Function App by list of allowed IP addresses. The environment is:

  • Function App used by Azure Monitor as Action
  • Function App has VNet integration

The most preferred way is to only accept incoming requests over VNet integration, but I cannot realize how this can be achieved. In Azure, in general, this can be done by creating PE on source side to destination (in my case - from Azure Monitor to FunctionApp), registering PE's address in private DNS zone on source side and configure NSG to allow access from source to destination. However, it looks impossible in my scenario - FunctionApp's settings Networking/Inbound Traffic/Private Endpoints allow to specify as source only my VNet's but not Azure Services.

Another way is to limit access by 'ActionGroups' IP addresses pool (available at https://docs.microsoft.com/azure/virtual-network/service-tags-overview#discover-service-tags-by-using-downloadable-json-files), which, however, change regularly (e.g. since Sep 2020 there were 20+ changes) and, thus, require periodic refresh. I don't like it because this is Alerting service and I don't want to lose critical alerts just because the list of possible source addresses changed few minutes ago.

Are there any reliable ways to allow access to the FunctionApp for the Azure Monitor's Actions only and deny all other sources?

Thank you.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,606 questions
0 comments No comments
{count} votes

Accepted answer
  1. AirGordon 7,030 Reputation points
    2023-05-31T22:11:59.1066667+00:00

    The URL for the Action Group webhook has to be over the public internet.

    You could try and leverage the IP address pool, as you've suggested - but it will change over time, and this won't be the best fault to build into a notification system. Your concern is that a 3rd party will access the Azure Function and spoof critical alerts? The Azure Function does use keys to aid authentication, but I understand that a network level limitation is preferable to lots of users.

    Network Security Groups do support ActionGroup as a service tag, which serves to limit inbound access to just Action Group traffic.

    User's image

    Additionally, Action Groups support secure webhook as an option which might be preferable to you, but doesn't operate on a private network.

    You could also opt to put the notification into Event Hub, and then trigger an Azure Function to do the work you need.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Volodymyr Litovka 121 Reputation points
    2023-06-01T12:55:24.0566667+00:00

    In Networking / Access Restrictions you can create rule with ServiceTag 'ActionGroup' - this is exactly I need, thus having Allow from ActionGroup and Deny everything else.

    0 comments No comments