Restrict Azure Functions access to Front Door

Pascal Kesseli 21 Reputation points
2020-06-16T18:57:56.563+00:00

Hi everyone,

I would like to protect my Azure Functions against DDOS attacks. For this purpose I set up a Front Door and successfully connected it to my Azure Functions. Now I would like to restrict access to the Functions to just the front door. I tried to accomplish this according to the following section:
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door

However, the article suggests to download a JSON with dozens of IP addresses, and also suggests to filter by the IP header X-Azure-FDID, which I can't seem to configure in the "Networking" --> "Access Restrictions" of my App Service. Thus my questions:

  1. Do I really need to manually add dozens of IP addresses or can this be configured more easily?
  2. How do I restrict by header in an App Service?

Thank you,
Pascal

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
68 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,609 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
627 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pramod Valavala 20,611 Reputation points Microsoft Employee
    2020-06-17T14:24:30.677+00:00
    1. Yes for the consumption/premium tiers. If your function app is deployed into a VNET, then you could leverage the AzureFrontDoor.Backend service tag instead.
    2. This is something you will have to check in your code (in most frameworks, this would be a simple middleware)

    Another way to protect your function apps that you could consider would be to use Azure API Management. Depending on the tier of APIM you choose, your setup will vary

    • For Premium Tier, you could deploy it into multiple regions and set each regional gateways IP in your function apps access restriction settings. Configuration for your APIs is synchronized by default.
    • For Basic/Standard Tier, you would have to manually deploy multiple APIM instances to each region and set each instances IP in your function apps access restriction settings. You could then set them up as backends in Front Door or Traffic Manager. Configuration for your APIs would have to be manually synchronized as well.
    • For Consumption Tier, you would have to manually deploy multiple APIM instances to each region but the IP of each instance isn't static, so you will have to rely on other means to protect your function apps like OAuth or the function key itself. You could then set them up as backends in Front Door or Traffic Manager. Configuration for your APIs would have to be manually synchronized as well.
    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Mahesh Panchal 11 Reputation points
    2020-07-19T09:44:53.793+00:00

    Incase we do not have VNET then what

    1 person found this answer helpful.
    0 comments No comments