To follow Azure cloud security best practices and prevent public exposure, ensure that the functions managed with Microsoft Azure Function App are not publicly accessible. An Azure function is considered publicly accessible when is configured to allow inbound access through the default (public) endpoint.
optimisation
excellence
In Azure cloud, Function Apps can be deployed with the inbound address being public to the Internet or isolated to an Azure Virtual Network (VNet). By default, a Function App is open to the Internet and can't reach into a virtual network. To reduce the risk of unauthorized access, data breaches, and potential security vulnerabilities, ensure that the functions managed with Microsoft Azure Function App are not exposed to the Internet. Denying public network access will block all inbound traffic except the requests that comes from private endpoints.
Audit
To determine if your Azure functions are configured to allow public network access, perform the following operations:
Remediation / Resolution
To ensure that your functions managed with Microsoft Azure Function App are not publicly accessible, perform the following operations:
References
- Azure Official Documentation
- Azure Functions networking options
- Azure App Service access restrictions
- Set up Azure App Service access restrictions
- Azure Command Line Interface (CLI) Documentation
- az functionapp list
- az functionapp show
- az functionapp config access-restriction add
- az functionapp update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Exposed Azure Functions
Risk Level: High