20 Oct Securing Azure Functions with PowerShell

Intro

Azure Functions offer a serverless compute service that enables you to run event-driven code without having to provision or manage infrastructure. However, securing these functions is paramount to protect sensitive data and ensure the integrity of your applications. This blog post will guide you through the best practices for securing Azure Functions using PowerShell, focusing on configurations for network restrictions, identity management, and application settings.

Understanding Azure Functions

Azure Functions is a serverless compute service that enables developers to run code on-demand without having to explicitly provision or manage infrastructure. Functions can be triggered by various events, such as HTTP requests, timers, and messages from other Azure services.

Best Practices for Securing Azure Functions

Network Restrictions

Implement Virtual Network (VNet) Integration

Virtual Network (VNet) integration allows your Azure Functions to communicate with resources in your VNet securely.

Example: Configuring VNet Integration with PowerShell

# Connect to Azure
Connect-AzAccount

# Define parameters
$resourceGroupName = 'GarsonResourceGroup'
$functionAppName = 'GarsonFunctionApp'
$vnetName = 'GarsonVNet'
$subnetName = 'default'

# Get the VNet and subnet details
$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Name $vnetName
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet

# Configure VNet integration
Set-AzWebAppVirtualNetwork -ResourceGroupName $resourceGroupName -Name $functionAppName -VnetName $vnetName -SubnetName $subnetName

Identity Management

Enable Managed Identity

Managed identities eliminate the need for storing credentials in your code. By enabling a managed identity for your function app, you can securely access other Azure resources.

Example: Enabling Managed Identity with PowerShell

# Enable system-assigned managed identity
Set-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionAppName -AssignIdentity

Grant Access to Resources

Once the managed identity is enabled, grant it access to other Azure resources, such as Key Vault.

# Define Key Vault parameters
$keyVaultName = 'GarsonKeyVault'
$functionAppIdentity = (Get-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionAppName).Identity.PrincipalId

# Set Key Vault access policy
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $functionAppIdentity -PermissionsToSecrets get

Secure Application Settings

Encrypt Application Settings

Application settings often contain sensitive information, such as connection strings and API keys. Use Azure Key Vault to store these secrets securely.

Example: Storing Secrets in Key Vault and Referencing Them in Function App Settings

# Add a secret to Key Vault
$secretName = 'DatabaseConnectionString'
$secretValue = ConvertTo-SecureString 'Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;' -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $secretValue

# Update function app settings to reference the secret
$settings = @{
    "DatabaseConnectionString" = "@Microsoft.KeyVault(SecretUri=https://$keyVaultName.vault.azure.net/secrets/$secretName)"
}
Set-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionAppName -AppSettings $settings

Configure HTTPS-Only

Ensure that all communications with your function app are encrypted by enforcing HTTPS-only access.

Example: Enforcing HTTPS with PowerShell

# Enforce HTTPS-only
Set-AzFunctionApp -ResourceGroupName $resourceGroupName -Name $functionAppName -HttpsOnly $true

If you wish to start you journey from beggining check out how to start with Powershell in Azure: