Hi KT,
To answer your question, if you're deploying an Azure Function as part of a managed application, you'll likely want to ensure that end users (those who deploy the managed application) can't access the source code of the Azure Function.
Here are some options to consider:
- Azure Functions Premium Plan with Private Endpoints: The premium plan for Azure Functions offers the ability to use VNET integration and private endpoints. This allows you to make sure that the Azure Function is only accessible from certain VNETs, which can provide a level of isolation.
- Use Compiled Code: Instead of deploying script files (.csx, .js, .py, etc.), use precompiled binaries. For instance, if you're using C#, you can compile your function app to a DLL, which makes it more difficult (though not impossible) for someone to retrieve and understand the source code.
- Obfuscation: As you mentioned, you can obfuscate your code. This doesn't prevent access to the code, but it does make it much harder to understand. Tools like ConfuserEx can be used for .NET applications, and there are similar tools for other languages.
- Azure Managed Applications RBAC: If you're packaging your resources as an Azure Managed Application, you can use Azure's Role-Based Access Control (RBAC) to limit permissions. Azure Managed Applications give the managed resource group a 'User Access Administrator' role to the managed application's service principal. This allows the application to manage resources, but it also implies that if the service principal's credentials are compromised or misconfigured, it could allow broader access.
- Azure Policy: Deploy Azure Policy definitions and assignments as part of your managed application to enforce specific requirements or restrictions. While this won't hide the code, it can prevent certain unwanted configurations or deployments.
- Azure Function Proxies: Instead of exposing your function directly, you can use Azure Function Proxies to create a facade. This doesn't hide the code, but it can mask the actual function endpoint. It's important to understand that no method will be 100% foolproof. A determined attacker with the right permissions can likely retrieve the source code or binary, but these methods can make it significantly more challenging.
It's also always a good practice to follow the principle of least privilege: grant only the permissions necessary for a user or service to perform its job and nothing more. This can help in limiting potential exposure points.
I hope this helps?