Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Virtual Network Integration for Azure Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To follow Azure networking best practices and securely access cloud resources available within your Azure Virtual Network (VNet), ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps. With Virtual Network integration, you can restrict your Function App outbound connections to specific, trusted VNets only.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

Virtual Network integration enables your Azure Function App to reach cloud resources within a Virtual Network (VNet) but doesn't allow inbound private access. This means Function App remains accessible only from a private network like an Azure Virtual Network. The networking feature is primarily used for outbound calls from your Function App to the VNet. Virtual Network (VNet) integration is valuable for organizations that prioritize network security, compliance, and data privacy while leveraging serverless computing in Azure cloud.

Audit

To determine if Virtual Network (VNet) integration is enabled for your Azure Function Apps, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking settings configured for the selected Function App.

07 In the Outbound Traffic section, check VNet integration feature status, listed under Features. If the VNet integration status is set to Off, the Virtual Network integration feature is not enabled for the selected Microsoft Azure Function App.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp show command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to determine if Virtual Network integration is enabled for the selected Function App: 

az functionapp show 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query 'siteConfig.vnetName'

04 The command output should return the identifier (name) of the requested Virtual Network integration resource: 

""

If the functionapp show command output returns an empty string, i.e. "", as shown in the output example above, the Virtual Network integration feature is not enabled for the selected Microsoft Azure Function App.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking settings configured for the selected Function App.

07 In the Outbound Traffic section, click on the VNet integration link to access the networking feature configuration page.

08 Choose Add VNet under VNet Configuration to set up the Virtual Network integration for the selected Azure Function App.

09 On the Add VNet integration panel, choose the appropriate subscription from the Subscription list, select the Azure Virtual Network that you want to use from the Virtual Network dropdown list, and choose whether to create a new VNet subnet for integration or use an existing one. Choose OK to apply the changes. The Function App outbound traffic is now restricted to the specific Virtual Network and its subnet.

10 Repeat steps no. 5 – 9 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp vnet-integration add command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to enable and configure Virtual Network integration for the selected Function App: 

az functionapp vnet-integration add 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --vnet cc-main-function-app-vnet 
  --subnet default

02 OThe command output should return the configuration information available for the Virtual Network integration: 

{
	"vnetName": "1234abcd-1234-abcd-1234-abcd1234abcd_cc-main-function-app-vnet",
	"location": "westeurope",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"vnetPrivatePortsCount": 0,
	"etag": "\"abcdabcd-1234-abcd-1234-abcdabcdabcd\"",
	"vnetRouteAllEnabled": true,
	"virtualNetworkSubnetId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/conformityrd-virtualnetwork/subnets/cc-main-function-app-vnet",
	"vnetContentShareEnabled": false,
	"vnetImagePullEnabled": false,
	"vnetRouteAllEnabled": true
}

03 Repeat steps no. 1 and 2 for each Azure Function App that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules