- Knowledge Base
- Microsoft Azure
- Azure Functions
- Use Private Endpoints for Azure Function Apps
To reduce the risk of exposure to external threats and strengthens overall security for your Function App interactions, ensure that your Microsoft Azure Function Apps are accessed exclusively through private endpoint connections. Private endpoints are only available for functions hosted in the Premium and App Service plans.
Security Using private endpoints for Azure Function Apps enables secure data access over Azure Private Link. The private endpoint uses an IP address from the virtual network, ensuring traffic stays within the Microsoft Azure backbone network, avoiding public Internet exposure. This setup blocks public endpoint connections, enhances virtual network security, prevents data exfiltration, and supports secure on-premises connections via Azure VPN Gateway or ExpressRoutes with private-peering. Additionally, it helps maintain compliance with regulatory requirements and organizational policies by enforcing strict network access controls and minimizing the surface area for potential security breaches.
Audit
To determine if network access to Azure Function Apps is allowed via private endpoints only, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.
03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.
05 Click on the name (link) of the Azure Function App that you want to examine.
06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.
07 In the Inbound traffic configuration section, perform the following checks:
- Check the Public network access configuration attribute value to determine the level of access configured for the selected Function App. If the Public network access value is Disabled, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.
- Check the Private endpoints attribute value. If the Private endpoints value is Not supported, the selected Function App is not hosted within the Premium or App Service plan. If Private endpoints is set to 0 private endpoints, there are no private endpoints deployed for the resource, therefore, the selected Microsoft Azure Function App is not configured to allow network access via private endpoints only.
08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription:
az functionapp list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested Function App names:
Name ResourceGroup ---------------------- ------------------------------ cc-main-function-app cloud-shell-storage-westeurope cc-project5-function-app cloud-shell-storage-westeurope
06 Run functionapp show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and the associated resource group as the identifier parameters to determine if the public network access to the selected Function App is disabled:
az functionapp show --name cc-main-function-app --resource-group cloud-shell-storage-westeurope --query 'publicNetworkAccess'
07 The command output should return the requested network configuration information:
"Disabled"
If the functionapp show command output returns "Disabled", as shown in the output example above, network access via public endpoints or selected networks is disabled for the selected Function App, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.
08 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the ID of each Azure Function App available in the selected subscription:
az functionapp list --query '[*].id'
09 The command output should return the requested Function App IDs:
[ "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app", "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-function-app" ]
10 Run network private-endpoint-connection list command (Windows/macOS/Linux) to list all the private endpoint connections deployed for the selected Azure Function App:
az network private-endpoint-connection list --id "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app"
11 The command output should return the information available for the deployed private endpoint connections:
[]
If the network private-endpoint-connection list command output returns an empty array, i.e. [], there are no private endpoint connections associated with your resource, therefore, the selected Microsoft Azure Function App is not configured to allow network access via private endpoints only.
12 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.
13 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To ensure that your Microsoft Azure Function Apps are accessed exclusively through private endpoint connections, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.
03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.
05 Click on the name (link) of the Azure Function App that you want to configure.
06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.
07 In the Inbound traffic configuration section, click on the Enabled with no access restrictions/Enabled with access restrictions link next to Public network access, to open the page with the network access restrictions configured for the selected Function App.
08 On the Access restriction page, in the App access section, set Public network access to Disabled to disable public network access. Choose Save to apply the changes. Check the By checking this box, you are agreeing to update the access restrictions checkbox and choose Continue to confirm the changes. Once the network configuration is updated, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Function App.
09 Navigate back to the Networking page, click on the 0 private endpoints link next to Private endpoints, choose Add, select Advanced, and perform the following actions to create a new private endpoint:
- For Basics, provide the following information:
- For Subscription, choose your Azure subscription.
- For Resource group, select the correct resource group.
- Provide a unique name for the private endpoint instance in the Name box.
- For Network Interface Name, enter a name for the associated network interface (NIC).
- For Region, select the Azure cloud region where the private endpoint instance will be deployed.
- Choose Next : Resource > to continue the setup process.
- For Resource, select sites from the Target sub-resource dropdown list. Choose Next : Virtual Network > to continue the setup.
- For Virtual Network, perform the following actions:
- For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
- For Subnet, select the VNet subnet where the private endpoint will be deployed.
- (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
- For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
- (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping virtual machines and defining policies based on these groups.
- Choose Next : DNS > to continue.
- For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
- For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
- For Review + create, review the resource configuration details, then choose Create to create your new private endpoint.
10 Repeat steps no. 5 – 9 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run functionapp update command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter to disable public network access for the selected Function App:
az functionapp update --name cc-main-function-app --resource-group cloud-shell-storage-westeurope --set publicNetworkAccess="Disabled" --query 'publicNetworkAccess'
05 The command output should return the new "publicNetworkAccess" configuration status:
"Disabled"
06 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the ID of each Azure Function App available in the selected subscription:
az functionapp list --query '[*].id'
07 The command output should return the requested Function App IDs:
[ "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app", "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-function-app" ]
08 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Microsoft Azure Function App. Use the --private-connection-resource-id command parameter to specify the resource ID of your Function App:
az network private-endpoint create --name tm-function-private-endpoint --resource-group cloud-shell-storage-westeurope --vnet-name tm-project5-vnet --subnet default --private-connection-resource-id "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app" --connection-name tm-function-app-private-connection --group-id sites --location westeurope
09 The command output should return the new private endpoint configuration information:
{
"customDnsConfigs": [
{
"fqdn": "cc-main-function-app.azurewebsites.net",
"ipAddresses": [
"10.0.0.4"
]
},
{
"fqdn": "cc-main-function-app.scm.azurewebsites.net",
"ipAddresses": [
"10.0.0.4"
]
}
],
"customNetworkInterfaceName": "",
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-function-private-endpoint",
"ipConfigurations": [],
"location": "westeurope",
"manualPrivateLinkServiceConnections": [],
"name": "tm-function-private-endpoint",
"networkInterfaces": [
{
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/tm-function-private-endpoint.nic.abcd1234-abcd-1234-abcd-1234abcd1234",
"resourceGroup": "cloud-shell-storage-westeurope"
}
],
"privateLinkServiceConnections": [
{
"groupIds": [
"sites"
],
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-function-private-endpoint/privateLinkServiceConnections/tm-function-app-private-connection",
"name": "tm-function-app-private-connection",
"privateLinkServiceConnectionState": {
"actionsRequired": "None",
"description": "",
"status": "Approved"
},
"privateLinkServiceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-function-app",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
}
],
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"subnet": {
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/default",
"resourceGroup": "cloud-shell-storage-westeurope"
},
"type": "Microsoft.Network/privateEndpoints"
}
10 Repeat steps no. 4 - 9 for each Azure Function App that you want to configure, available within the current subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Azure Functions networking options
- What is Azure Private Link service?
- What is a private endpoint?
- Using Private Endpoints for App Service apps
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az functionapp list
- az functionapp show
- az functionapp update
- az network private-endpoint create
Related Functions rules
- Use System-Assigned Managed Identities for Azure Functions (Security, operational-excellence)
- Azure Function Access Keys (Security, reliability, cost-optimisation, operational-excellence, sustainability)
- Azure Function Runtime Version (Security, reliability, cost-optimisation, operational-excellence, sustainability)
- Use Private Endpoints for Azure Function Apps (Security)