Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Exposed Azure Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To follow Azure cloud security best practices and prevent public exposure, ensure that the functions managed with Microsoft Azure Function App are not publicly accessible. An Azure Function App is considered publicly accessible when it is configured to allow inbound access through the default (public) endpoint.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

In Azure cloud, Function Apps can be deployed with either public or private network access. By default, Function Apps are publicly accessible, but they can also be isolated to an Azure Virtual Network (VNet) to restrict inbound traffic. To reduce the risk of unauthorized access and data breaches, consider carefully whether your Function App needs to be publicly accessible. If not, denying public network access can help enhance security by blocking all inbound traffic except requests from private endpoints.

Audit

To determine if your Microsoft Azure Function Apps are configured to allow public network access, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

07 In the Inbound traffic configuration section, check the Public network access configuration attribute value. If the Public network access value is Enabled with no access restrictions, the functions managed with the selected Microsoft Azure Function App are configured to allow public network access.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and the associated resource group as the identifier parameters to determine if the selected Function App is configured to allow public access: 

az functionapp show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'publicNetworkAccess'

07 The command output should return the requested network configuration information: 

"Enabled"

If the functionapp show command output returns "Enabled", as shown in the output example above, the functions managed with the selected Microsoft Azure Function App are configured to allow public network access.

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that the functions managed with Microsoft Azure Function App are not publicly accessible, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

07 In the Inbound traffic configuration section, click on the Enabled with no access restrictions link, next to Public network access, to open the page with the network access restrictions configured for the selected Function App.

08 On the Access restriction page, perform the following actions:

  1. To deny public network access entirely, set Public network access to Disabled.
  2. In Azure Function App, access restrictions allow you to define lists of allow/deny rules to control traffic to your functions. These lists can include IP addresses or Virtual Network (VNet) subnets. Rules are evaluated in priority order. If there are no rules defined, your functions will accept traffic from any IP address, leaving your functions exposed. To configure access restrictions, perform the following actions:
    1. Set Public network access to Enabled from selected virtual networks and IP addresses.
    2. Select the Main site tab, set Unmatched rule action to Deny, and choose Add to add one or more rules in order to allow inbound traffic to your functions from authorized Virtual Networks (VNets) or trusted IP addresses only. Once the inbound rule is configured according to your specifications, choose Add rule to deploy the rule.
    3. Choose Save to apply the changes. Check the By checking this box, you are agreeing to update the access restrictions checkbox and choose Continue to confirm the changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp update command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter to disable public network access for the selected Function App: 

az functionapp update
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --set publicNetworkAccess="Disabled"
  --query 'publicNetworkAccess'

05 The command output should return the new "publicNetworkAccess" configuration status: 

"Disabled"

06 Run functionapp config access-restriction add command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter to add an access restriction rule that allows inbound access from a trusted IPv4 address only. The following command request example adds an access restriction rule named "tm-function-app-developer", that allows access only from IPv4 10.20.30.40/32 with priority 300 to the main site: 

az functionapp config access-restriction add
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --rule-name tm-function-app-developer
  --action Allow
  --ip-address 10.20.30.40/32
  --priority 300

07 The command output should return the information available for the configured access restriction rules: 

[
	{
		"action": "Allow",
		"description": null,
		"headers": null,
		"ipAddress": "10.20.30.40/32",
		"name": "function-developer",
		"priority": 300,
		"subnetMask": null,
		"subnetTrafficTag": null,
		"tag": "Default",
		"vnetSubnetResourceId": null,
		"vnetTrafficTag": null
	},
	{
		"action": "Deny",
		"additional_properties": {},
		"description": "Deny all access",
		"headers": null,
		"ip_address": "Any",
		"name": "Deny all",
		"priority": 2147483647,
		"subnet_mask": null,
		"subnet_traffic_tag": null,
		"tag": null,
		"vnet_subnet_resource_id": null,
		"vnet_traffic_tag": null
	}
]

08 Repeat steps no. 3 - 7 for each Azure Function App that you want to configure, available within the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules