Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Function Runtime Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that you always use the latest runtime version of the function host for your Microsoft Azure Function Apps in order to adhere to Azure cloud best practices and receive the newest software features, get the latest security patches and bug fixes, and benefit from better performance and reliability. The runtime version used by the function host is usually controlled by the "FUNCTIONS_EXTENSION_VERSION" application setting.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

Using the latest runtime version for all the functions managed with Microsoft Azure Function App ensures access to critical security updates, performance enhancements, and bug fixes. Staying up-to-date is crucial for maintaining a secure and efficient serverless environment, as it mitigates potential vulnerabilities and ensures that your functions run smoothly with the latest improvements and optimizations.

Audit

To determine if your Azure Azure functions are configured to use the latest runtime version of the function host, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Configuration to access the application settings configured for the selected Function App.

07 Select the Application settings tab and check the following application settings: FUNCTIONS_WORKER_RUNTIME for the runtime language and FUNCTIONS_EXTENSION_VERSION for runtime version installed. Compare the runtime language and version with the updated list of Function App runtimes supported by Microsoft Azure. If the FUNCTIONS_EXTENSION_VERSION is not configured to use the latest version supported by Microsoft Azure, the selected Azure Function App is using an old and deprecated runtime environment.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp config appsettings list command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to list the application settings configured for the selected Function App: 

az functionapp config appsettings list 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query '[*].[name,value]'

04 The command output should return the requested application configuration information: 

[
	[
		"FUNCTIONS_WORKER_RUNTIME",
		"python"
	],
	[
		"FUNCTIONS_EXTENSION_VERSION",
		"~3"
	],
	[
		"ENABLE_ORYX_BUILD",
		"1"
	],
	[
		"SCM_DO_BUILD_DURING_DEPLOYMENT",
		"1"
	],
	[
		"WEBSITE_CONTENTSHARE",
		"cc-main-function-app8adc"
	]
]

Check the following application settings: FUNCTIONS_WORKER_RUNTIME for the runtime language and FUNCTIONS_EXTENSION_VERSION for runtime version. Compare the runtime language and version with the updated list of Function App runtimes supported by Microsoft Azure. If the FUNCTIONS_EXTENSION_VERSION is not configured to use the latest version supported by Microsoft Azure, the selected Azure Function App is using an old and deprecated runtime environment.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To upgrade the runtime version for your Azure functions managed with Microsoft Azure Function App, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Configuration to access the application settings configured for the selected Function App.

07 Choose the Function runtime settings tab and select the latest runtime version supported by the Microsoft Azure Function App from the Runtime version dropdown list. Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp config appsettings set command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to set the FUNCTIONS_EXTENSION_VERSION application setting to the latest runtime version supported by the Microsoft Azure Function App: 

az functionapp config appsettings set 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --settings FUNCTIONS_EXTENSION_VERSION=~4

02 The command output should return the new application settings configured for the selected Azure Function App: 

[
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "python"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "ENABLE_ORYX_BUILD",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "SCM_DO_BUILD_DURING_DEPLOYMENT",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-app8adc"
	}
]

03 Repeat steps no. 1 and 2 for each Azure Function App that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules