I am currently encountering a challenge that necessitates the development of an effective solution for the following scenario:
I possess a database in Azure Virtual Network with public access deactivated. My objective is to design an Azure Function, utilizing Python, capable of interacting with this database to retrieve results and return them as JSON objects via POST requests. I must also facilitate access for an external application to this function, though I lack specific details or a design for this application at present. Consequently, I am considering two potential scenarios:
- The application is external and on-premises, with the only known detail being its static IP address.
- The application is hosted on Azure, but within a different tenant. In this case, I will be aware of the subscription ID, resource group name, and IP address.
The steps I have undertaken so far include:
- Establishing an Azure Function App using the Premium Plan, creating a new Storage Account, and employing default network settings. Due to limitations with Python applications, it is not feasible to modify Storage Account network settings during the creation process, so these were left unchanged at that stage.
- In the database's Virtual Network, I added a Subnet and executed Virtual Network Integration within my Function App, enabling the Function to query the database.
- For the Storage Account Networking Settings associated with the Function App, I chose "Enabled from selected virtual networks and IP addresses" and included the Virtual Network utilized by the SQL Database. Is this approach correct?
- I deployed the function using the 'Function' Authorization method.
- In the Networking section of the Function App, under Inbound Traffic Configuration -> Public Network Access, I selected 'Enable from selected virtual networks and IP Addresses.' For testing purposes, my local IP was added.
- All variables used in the Function code are local, stored in the Configuration section as Key Vault references. I had previously activated Managed Identity for the Function App and granted access to the Key Vault containing these variables as secrets.
- I tested the function from my PC using the Function Key in the headers. This, combined with my authorized IP address, ensured smooth operation of the Function. In the scenario I am addressing, I considered adding the external application's IP address to the list and securely sharing the Function Key with the app owner.
My questions and concerns are as follows:
- First and foremost, is this a robust and secure solution?
- After reviewing documentation, I understand that sharing Function Keys is generally discouraged. However, I intend to use this key as an additional layer of security, supplementing the Network Access IP restriction.
- Could anyone suggest a more robust solution that wouldn't be excessive?
Regrettably, my understanding of the application set to call the function is somewhat vague. I have devised a concept that functions well in my tests, but I am seeking community input to determine if there are aspects that could be improved.