Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Exposed Azure Functions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

To follow Azure cloud security best practices and prevent public exposure, ensure that the functions managed with Microsoft Azure Function App are not publicly accessible. An Azure function is considered publicly accessible when is configured to allow inbound access through the default (public) endpoint.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

In Azure cloud, Function Apps can be deployed with the inbound address being public to the Internet or isolated to an Azure Virtual Network (VNet). By default, a Function App is open to the Internet and can't reach into a virtual network. To reduce the risk of unauthorized access, data breaches, and potential security vulnerabilities, ensure that the functions managed with Microsoft Azure Function App are not exposed to the Internet. Denying public network access will block all inbound traffic except the requests that comes from private endpoints.

Audit

To determine if your Azure functions are configured to allow public network access, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking settings configured for the selected Function App.

07 In the Inbound Traffic section, click on the Access restriction link and check the Allow public access setting status, available under App access. If the Allow public access setting is enabled (i.e. the setting checkbox is selected), the functions managed with the selected Microsoft Azure Function App are configured to allow public network access.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp show command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to determine if the selected Function App resource is configured to allow public access: 

az functionapp show 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query 'publicNetworkAccess'

04 The command output should return the requested network configuration information: 

"Enabled"

If the functionapp show command output returns "Enabled", as shown in the output example above, the functions managed with the selected Microsoft Azure Function App are configured to allow public network access.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your functions managed with Microsoft Azure Function App are not publicly accessible, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Networking to access the networking settings configured for the selected Function App.

07 In the Inbound Traffic section, click on the Access restriction link to open the page with the access restrictions configured for the selected resource.

08 On the Access restriction configuration page, perform one of the following sets of actions:

  1. To deny public network access entirely, deselect the Allow public access setting checkbox and choose Save to apply the changes.
  2. In Azure Function App, access restrictions allow you to define lists of allow/deny rules to control traffic to your functions. These lists can include IP addresses or Virtual Network (VNet) subnets. Rules are evaluated in priority order. If there are no rules defined, your functions will accept traffic from any IP address, leaving your functions exposed. To configure access restrictions, leave the Allow public access setting checkbox selected, set Unmatched rule action to Deny, and choose Add from the Site access and rules section to add one or more rules in order to allow inbound traffic to your functions from trusted sources only. Select Continue to confirm access denial and choose Save to apply the changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp update command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to deny public network access entirely to your Function App. To configure access restrictions for your Azure functions, skip this step: 

az functionapp update 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --set publicNetworkAccess="Disabled" 
  --query 'publicNetworkAccess'

02 The command output should return the new "publicNetworkAccess" configuration status: 

"Disabled"

03 Run functionapp config access-restriction add command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to add an access restriction rule that allows inbound access from a trusted IPv4 address only. The following command request example adds an access restriction rule named "function-developer", that allows access only from IPv4 10.25.0.50/32 with priority 300 to the main site: 

az functionapp config access-restriction add 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --rule-name function-developer 
  --action Allow 
  --ip-address 10.25.0.50/32 
  --priority 300

04 The command output should return the configuration information available for access restriction rules: 

[
	{
		"action": "Allow",
		"description": null,
		"headers": null,
		"ipAddress": "10.25.0.50/32",
		"name": "function-developer",
		"priority": 300,
		"subnetMask": null,
		"subnetTrafficTag": null,
		"tag": "Default",
		"vnetSubnetResourceId": null,
		"vnetTrafficTag": null
	},
	{
		"action": "Deny",
		"additional_properties": {},
		"description": "Deny all access",
		"headers": null,
		"ip_address": "Any",
		"name": "Deny all",
		"priority": 2147483647,
		"subnet_mask": null,
		"subnet_traffic_tag": null,
		"tag": null,
		"vnet_subnet_resource_id": null,
		"vnet_traffic_tag": null
	}
]

05 Repeat steps no. 1 - 4 for each Azure Function App that you want to configure, available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Exposed Azure Functions

Risk Level: High