Sri Gunnala
HomeAbout Me

Azure Functions Virtual Network integration | Private Endpoints for Azure Functions

By Sri Gunnala
Published in Microsoft Azure
July 21, 2022
2 min read
Azure Functions Virtual Network integration | Private Endpoints for Azure Functions

We can host the function app mainly in two ways.

  1. In Multitenant infrastructure
    1. Consumption Plan — scales dynamically in response to load and offers minimal network isolation options.
    2. Premium Plan — scales dynamically and offers more comprehensive network isolation.
    3. App Service Plan — operates at a fixed scale and offers network isolation similar to the Premium plan
  2. In App Service Environment — This method deploys your function into your virtual network and offers full network control and isolation.


VNET Integration options

Azure Function VNET integration is supported by Premium Azure functions, App Service Plan minimum Basic tier and of course App Service Environment. When we create an azure function without any VNET integration, it will have a public IP address and it will be exposed to the internet.

Azure Functions Networking Options
Azure Functions Networking Options

This Blog will explain

  1. How we can secure the Azure function with VNET integration?
  2. How we can create a private endpoint to secure incoming traffic?
  3. How can we restrict outbound traffic from the Azure function to VNET?

Why do we need Azure function VNET Integration?

  1. Access to VNET-based resources
  2. Lock down your function app behind a VNET (no public IP Address at the source or destination)
  3. Access to Azure PaaS services(for example, Azure Storage and SQL Database) over a private endpoint.
  4. Access services running on-premises over ExpressRoute private peering, VPN tunnels and peered virtual networks.

Inbound Traffic

Inbound traffic is controlled using Accessing Restrictions and Private Link.

Access Restrictions: You can use access restrictions to define a priority-ordered list of IP addresses that are allowed or denied access to your app. When there are one or more entries, an implicit “deny all” exists at the end of the list. IP restrictions work with all function-hosting options.

What is a Private Link? Azure PaaS services are shared services and they are available over public IP addresses. Private Link enables us to connect to Azure PaaS services(storage, SQL, logic apps, service bus, event grids etc..) without opening to the Internet. A private link will give a private IP address to the Azure PaaS service and traffic will go through the Microsoft backbone network. So, No internet exposure.

Outbound Traffic

Outbound IP restrictions are available in a Premium plan, App Service Plan, or App Service Environment. You can configure outbound restrictions for the virtual network where your App Service Environment is deployed.

When you integrate a function app in a Premium plan or an App Service plan with a virtual network, the app can still make outbound calls to the internet by default. By integrating your function app with a virtual network with Route All enabled, you force all outbound traffic to be sent into your virtual network, where network security group rules can be used to restrict traffic.

Steps for Azure Functions Virtual Network integration

Demo Architecture
Demo Architecture

The above architecture demonstrates the steps involved at a high level.

  1. Create a simple azure function that retrieves the data from the Azure storage table.

  2. Inbound Traffic

    1. The azure function is with App Service Plan Free tier. It is accessible over the internet.
    2. Create a private endpoint for the Azure function and place this in a virtual network.
    3. As soon as we create a private endpoint, the Azure function is access is blocked over the internet. The azure function is accessible only from the vent where the private endpoint is placed.
    4. To demonstrate Azure function access from a virtual network, create a virtual machine without a public IP address inside the same virtual network
    5. As the virtual machine is a private one, create a Bastion resource to access the VM.
    6. Now access the azure function from VM.

  3. Outbound Traffic

    1. Integrate the function app into the virtual network, so traffic from the function app is restricted only to the virtual network
    2. restrict the azure storage account access to virtual
    3. Now we can access the azure function from VM.

The video above will give you a step by step walk though of these steps - watch it here

Tags

#Azure#AzureFunctions
Previous Article
What is Azure Log Analytics Workspace | How to configure Azure Log Analytics Workspace
Next Article
Private Link Support for Azure API Management | Private Endpoint for Azure API Management
Sri Gunnala

Sri Gunnala

Learner | Reader | Blogger | Azure Enthusiast

Topics

Front End
Microsoft Azure
Microsoft .NET

Newsletter

Sri Gunnala - Make sure to subscribe to newsletter and be the first to know the news.

Related Posts

Azure APIM Caching Policy | Cache-lookup Policy | HTTP GET | Non-Cache HTTP POST
Sri Gunnala
September 21, 2024
2 min
Sri Gunnala
© 2024, All Rights Reserved.

Legal Stuff

Privacy NoticeCookie PolicyTerms Of Use

Social Media

youtubelinkedintwitter