How to have common rule enable for all Azure functions with ALLOW access

Admin_BMAZHUVANCHERY 0 Reputation points
2024-01-19T23:45:07.5533333+00:00

Azure functions are exposed to upstream through Azure Front Door. We will enable WAF at Front door to allow the access from all other upstream or other valid data center IP ranges including VPN. We need to restrict the access to the Azure functions only by Front Door, Azure data factory and Stream Analytics Jobs. The end goal is to restrict all unauthorized access to the azure functions. We have a few function apps in place and don't prefer to go with APIM approach. Is there anyway we can have centralized rule configured with all allowed sources which can tag to all function apps. (Similar to WAF for FRONT door)

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,662 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,025 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
549 questions
Azure Web Application Firewall
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Durkan 12,276 Reputation points MVP
    2024-01-20T20:08:19.1666667+00:00

    Hi

    Azure Functions doesn't have the capability for configuring centralized access control rules, but there's a way you can do this without APIM:

    1. Place your Azure Functions, Azure Data Factory, and Stream Analytics Jobs within a Virtual Network, and use Service Endpoints for these services. This restricts access to these services to only the resources within the same VNet.
    2. Configure the Application Gateway with the Web Application Firewall (WAF), and set up custom rules in the WAF to allow traffic only from those specific services. Configure the backend pool of the Application Gateway to include your Azure Functions.
    3. Use Azure Private DNS Zones to create custom DNS names for your Azure Functions within the VNet.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments

  2. MayankBargali-MSFT 67,081 Reputation points
    2024-01-22T05:18:30.7166667+00:00

    @Admin_BMAZHUVANCHERY Thanks for reaching out. Adding more to Michael answer.

    Yes, you can use Azure App Service Environment (ASE) or Private Endpoints to restrict access to your Azure Functions. Azure App Service Environment (ASE) is a fully isolated and dedicated environment for securely running App Service apps at high scale. You can deploy your Azure Functions to an ASE and configure the inbound access restrictions to allow only traffic from Front Door, Azure Data Factory, and Stream Analytics Jobs. Alternatively, you can use Private Endpoints to securely access your Azure Functions over a private endpoint in your virtual network. You can configure the inbound access restrictions to allow only traffic from Front Door, Azure Data Factory, and Stream Analytics Jobs to the private endpoint. Both of these options provide centralized rule configuration for all your Azure Functions in the environment.

    Here are some resources to help you get started with these options: https://learn.microsoft.com/en-us/azure/app-service/environment/intro https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    0 comments No comments