Azure Functions
An Azure service that provides an event-driven serverless compute platform.
Does the code running in an Azure Function pose significant risks when it calls an HTTP endpoint running on a server?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
jinxjer lee
40
Reputation points
The endpoint is HTTP (not HTTPS), but it will only be called by Azure function, no other real users will call it (so no risk when normal user's network is listened). Will Azure's outbound network have chance to be listened by anyone else? The endpoint has the secret key, so only caller knows the key can call successfully, but I am not sure whether it's necessary to get ssl
By the way, I tried to ask in Chinese QA, but I have no idea why no Azure Tags in Chinese QA, so I have to ask here in English
Azure Functions
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-09-24T05:30:54.8866667+00:00 Thank you for using Q&A Platform
If an Azure Function is calling an HTTP (not HTTPS) endpoint and the function app is deployed in a default public configuration (without VNET/private endpoints), its outbound traffic travels over public networks, which can potentially be intercepted by malicious parties if the traffic is not encrypted, even though only the function itself knows the secret key and initiates calls.
Using only HTTP with a secret key is not sufficient to guarantee that network traffic cannot be eavesdropped on; packet sniffers on the public network could potentially obtain sensitive data, including the secret, during transmission.
Outbound Traffic Security in Azure
Azure outbound connections from function apps can make requests to public internet endpoints unless outbound connectivity is explicitly controlled via integration with a VNET, private endpoints, or firewall. Unless you configure these security mechanisms, outbound traffic can be exposed on the general internet, increasing the risk of interception by unauthorized actors.
- VNET integration or Azure Firewall can route outbound traffic securely and restrict exposure.
- Without such measures, traffic uses public Azure infrastructure and is susceptible to traditional network-level threats.
Importance of HTTPS
Requiring HTTPS (SSL/TLS) for endpoints ensures that all data in transit is encrypted and authenticated between the caller (Azure Function) and endpoint, greatly reducing the risk of interception or snooping, even if communication is only machine-to-machine.
Azure best practices recommend always enabling HTTPS for protecting secrets and sensitive data, regardless of whether normal users are involved.
Recommendations
- Strongly consider enabling HTTPS on the endpoint to secure communication, even though the client is an Azure Function.
- If SSL termination is a technical challenge, ensure the function app is running in a network-isolated environment, such as with VNET integration, private endpoints, or NAT gateway. This reduces, but does not entirely eliminate the risks.
Additional Notes
- The lack of Azure tags in the Chinese QA platform may reflect regional documentation differences or limitations in their tagging system.
- Security best practices are consistent across geographies: encrypt traffic with HTTPS unless network isolation can be guaranteed at all layers.
In summary, using HTTP alone, even with a secret key is risky due to potential exposure over public networks. Azure recommends enforcing HTTPS for all endpoints called by Azure Functions, not just for user-facing scenarios.
I hope this helps in resolving the issue, let me know if you have any further questions on this
-
Anonymous
2025-09-26T01:39:45.6766667+00:00 @jinxjer lee Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
-
Sign in to comment
Sign in to answer