Azure Function authLevel security in and out of API Management

Question

Azure Function authLevel security in and out of API Management

hawthorne91 240

I have an APIM developer portal that contains Azure Functions as authLevel "anonymous" but they cannot be called without an access token provided by B2C. This also means that the only form of defense for these Azure Functions from outside users is the access token. The Azure Functions in the context of API Management service, however, are protected by not only the access token but also the subscription keys the APIs are associated with.I was wondering if changing the Azure Function's authLevel to "function" would not only provide the individual Azure Functions with security, but also if API management automatically updates to provide a function key if the authLevels for the functions are changed. I do not want the users to provide the function key, but rather it automatically passed through the developer portal/API management's backend.

Accepted answer

0 additional answers

Your answer

Answer 1

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

hawthorne23 Thanks for posting your question in Microsoft Q&A. From the description above, you have Azure Functions with "Easy Auth" enabled to validate AD tokens, authorization level as anonymous and placed API Management in the front. Now, you are looking to see if you can change authorization level to Function and explore option to automatically update the function key if it gets changed.

Here are the few things I would like to start with:

While importing a Function app in API Management, a host key will be generated in the Function app and a named value in APIM with the generated host key as described in Authorization. This function key will be passed for all requests from APIM to Azure Function and hence users don't need to pass this when calling APIM. This is an easy way to set up Azure Functions with APIM. You can also create a named value manually in APIM with function key and update APIM policies (such as set-query-parameter) to send this key for all the requests.
However, there is no built-in support for automatically update the named value when host key in the function is changed. So, whenever you change the function key, set up a process to update the named value as needed (which could be ARM template like this discussion, CLI, Rest API etc.), .
If you like Azure Functions to receive calls only through APIM, you can also consider applying IP security i.e. APIM outbound IP (or IP ranges in case of Consumption tier) should be added to Function Inbound rules.

I hope this helps and let me know if you have any questions.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

hawthorne91 240 Reputation points

2024-01-16T21:12:48.3633333+00:00
Thank you for your reply MuthuKumaranMurugaachari-MSFT. I just have a few questions.

I would only like the Azure Functions to be called from APIM, how can I apply that? The API Management instance I am using is the standard tier.

If the function is restricted to calls from APIM, is it still possible for users to access the API outside of the developer portal? For example, could customers send requests directly to the function in APIM using tools like Postman?

Does the auth level still need to be changed if IP limiting is introduced in tandem with the Easy Auth I currently have implemented?

Thank you in advance for your assistance.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-16T21:24:52.9766667+00:00

hawthorne23 Sure.

#1 This depends on whether you have deployed in VNET or not. Check out https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses to find the outbound IP address of the APIM instance and restrict the functions to allow only requests from this IP via https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli.

#2 APIM can accept the requests for this API (function API defined in APIM) from any client such as Postman, but Postman cannot directly call Azure Function app (http endpoint) bypassing APIM.

#3 No, you can use same Auth level or use Function and both are supported with Easy Auth. Here is sample scenario described https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c#configure-and-secure-the-function-api.
hawthorne91 240 Reputation points

2024-01-17T18:32:14.9833333+00:00

Hi MuthuKumaranMurugaachari-MSFT, your insight is appreciated. Thank you for your informative responses. The Azure Function and API Management service are not deployed in VNET. Does this cause an issue with IP limiting?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-17T18:58:27.3566667+00:00

hawthorne23 No, you can add either outbound public IP address or IP ranges in case of consumption tier (as described in https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses ) in the Function app.

VNET is not required, and inbound IP restrictions are supported in all plans https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#networking-features.
hawthorne91 240 Reputation points

2024-01-18T20:18:55.9466667+00:00
Hello MuthuKumaranMurugaachari-MSFT, thank you for your comment. I've distilled 3 main takeaways from our discussion, and I want to confirm my understanding.

Azure Functions (even in consumption form) can have IP restrictions to where they can only be called through API Management Service.

Azure Functions that can only be called through API Management Service can still be called through other means such as Postman, however the call needs to be through the API Management URL.

Easy Auth and IP Limiting can be used to ensure Azure Function security, even with an authLevel set to "anonymous".

Kindly confirm if my interpretation aligns with our conversation. Thank you for your assistance.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T20:24:44.8766667+00:00

hawthorne23 Yes these are correct.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T20:50:39.99+00:00

For any other questions, feel free to reach out to us. If you find the answer/discussion helpful, consider marking it as Yes.
hawthorne91 240 Reputation points

2024-01-18T21:56:33.5966667+00:00

Thank you for your assistance.

Share via

Azure Function authLevel security in and out of API Management

0 additional answers

Your answer