Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Exposed Azure Function Apps

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Functions-006

To follow Azure cloud security best practices and prevent public exposure, ensure that the functions managed with Microsoft Azure Function App are not publicly accessible or are secured with IP access restrictions. An Azure Function App is considered publicly accessible when it is configured to allow unrestricted inbound access through the default (public) endpoint without any IP-based access restrictions.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Cost
optimisation
Operational
excellence
Sustainability

In Azure cloud, Function Apps can be deployed with either public or private network access. By default, Function Apps are publicly accessible without any IP restrictions, but they can also be isolated to an Azure Virtual Network (VNet) or configured with IP-based access restrictions to control inbound traffic. To reduce the risk of unauthorized access and data breaches, consider carefully whether your Function App needs to be publicly accessible. There are two acceptable secure configurations:

  1. Disable public network access completely - This blocks all inbound traffic except requests from private endpoints, providing the highest level of security.
  2. Enable public access with IP restrictions - This allows access only from specific trusted IP addresses or Virtual Network (VNet) subnets by configuring access restriction rules and ensuring the default "Allow all" rule is removed.

Both approaches effectively prevent unrestricted public access and help protect your Function Apps from unauthorized connections.

Audit

To determine if your Microsoft Azure Function Apps are configured to allow public network access, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

07 In the Inbound traffic configuration section, check the Public network access configuration attribute value. If the Public network access value is Enabled with no access restrictions or if IP access restrictions are enabled but the default "Allow all" rule has not been removed, the functions managed with the selected Microsoft Azure Function App are configured to allow unrestricted public network access.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and the associated resource group as the identifier parameters to determine if the selected Function App is configured to allow public access: 

az functionapp show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'publicNetworkAccess'

07 The command output should return the requested network configuration information: 

"Enabled"

If the functionapp show command output returns "Enabled", as shown in the output example above, the functions managed with the selected Microsoft Azure Function App may be configured to allow public network access. To verify if IP access restrictions are properly configured, you need to check the access restriction rules (see Remediation section).

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that the functions managed with Microsoft Azure Function App are not publicly accessible or are secured with IP access restrictions, perform the following operations. You can choose one of two secure configurations:

  1. Disable public network access completely - Recommended for Function Apps that should only be accessed via private endpoints.
  2. Enable public access with IP restrictions - Configure access restriction rules to allow access only from specific trusted IP addresses or Virtual Network (VNet) subnets, and ensure the default "Allow all" rule is removed.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

07 In the Inbound traffic configuration section, click on the Enabled with no access restrictions link, next to Public network access, to open the page with the network access restrictions configured for the selected Function App.

08 On the Access restriction page, choose one of the following secure configurations:

Option 1: Disable public network access completely

  1. Set Public network access to Disabled.
  2. Choose Save to apply the changes.

Option 2: Enable public access with IP restrictions

  1. Set Public network access to Enabled from selected virtual networks and IP addresses.
  2. Select the Main site tab and set Unmatched rule action to Deny.
  3. If a default "Allow all" rule exists, select it and choose Delete to remove it. This is critical to ensure only your specified IP addresses or VNets can access the Function App.
  4. Choose Add to add one or more access restriction rules to allow inbound traffic to your functions from authorized Virtual Networks (VNets) or trusted IP addresses only. Configure the rule with the appropriate IP address, VNet subnet, or service tag, then choose Add rule to deploy the rule.
  5. Choose Save to apply the changes. Check the By checking this box, you are agreeing to update the access restrictions checkbox and choose Continue to confirm the changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Choose one of the following secure configurations:

Option 1: Disable public network access completely


Run functionapp update command (OSX/Linux/UNIX) to disable public network access for the selected Function App: 
az functionapp update
	--name cc-main-function-app
	--resource-group cloud-shell-storage-westeurope
	--set publicNetworkAccess="Disabled"
	--query 'publicNetworkAccess'
The command output should return the new configuration status: 
"Disabled"

Option 2: Enable public access with IP restrictions


  1. First, remove the default "Allow all" rule if it exists by running functionapp config access-restriction remove command: 
    az functionapp config access-restriction remove
	--name cc-main-function-app
	--resource-group cloud-shell-storage-westeurope
	--rule-name "Allow all"
  2. Run functionapp config access-restriction set command to configure the unmatched rule action to Deny: 
    az functionapp update
	--name cc-main-function-app
	--resource-group cloud-shell-storage-westeurope
	--set siteConfig.ipSecurityRestrictionsDefaultAction="Deny"
  3. Run functionapp config access-restriction add command to add an access restriction rule that allows inbound access from a trusted IPv4 address only. The following example adds a rule named "function-app-developer" that allows access only from IPv4 10.20.30.40/32 with priority 300: 
    az functionapp config access-restriction add
	--name cc-main-function-app
	--resource-group cloud-shell-storage-westeurope
	--rule-name function-app-developer
	--action Allow
	--ip-address 10.20.30.40/32
	--priority 300
  4. The command output should return the information for the configured access restriction rules: 
    [
	{
		"action": "Allow",
		"description": null,
		"headers": null,
		"ipAddress": "10.20.30.40/32",
		"name": "function-app-developer",
		"priority": 300,
		"subnetMask": null,
		"subnetTrafficTag": null,
		"tag": "Default",
		"vnetSubnetResourceId": null,
		"vnetTrafficTag": null
	},
	{
		"action": "Deny",
		"additional_properties": {},
		"description": "Deny all access",
		"headers": null,
		"ip_address": "Any",
		"name": "Deny all",
		"priority": 2147483647,
		"subnet_mask": null,
		"subnet_traffic_tag": null,
		"tag": null,
		"vnet_subnet_resource_id": null,
		"vnet_traffic_tag": null
	}
]

05 Repeat step no. 4 for each Azure Function App that you want to configure, available within the current subscription.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules