Webhook listener/receiver security

Question

Hi,

We are looking at using webhooks from various vendors outside our network. They would publish the event to us. We would be the webhook listener/receiver, not pushing the events. We have done proof of concept of creating an Azure Function to receive the event. From the research we have done most have the security of passing a sha1/sha256/sha512 hash for us to verify they are who we want to receive the events. This all worked as expected with the POC Azure Function.

From a enterprise network security standpoint is there anything else available? The process above puts the security in the function. I'm sure our Network Security group would not want us to have 10 functions for each vendor to worry about the security. I've read about whitelisting of IP's that would be sending the events but most of our vendors are Cloud based so I'm not sure how readily that would be available. Maybe one function to validate all events that come in then let pass through? Would that be an acceptable solution? Azure API Gateway or API Management able to address somehow? Any other network type of product that handles webhook security specifically?

Any insight or information most appreciated.

Thanks.

Answer 1

Hello @TimB-9890 - Yes, putting Azure API Management (APIM) gateway in front of your Functions would be the way to go! APIM offers a powerful policy engine as well as a Consumption tier. You can move out all of the security-related implementations from your Functions and convert them as a set of policies (which are simple declarative XML definitions) & configurations at the APIM side. This way, your Functions would stay clean and just concern about the business logic while your APIM would handle routing only "sanitized" requests over a secure connection to your Functions.