01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list
--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[
"abcdabcd-1234-abcd-1234-abcdabcdabcd",
"abcd1234-abcd-1234-abcd-abcd1234abcd"
]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run network nsg create command (Windows/macOS/Linux) to create a new Network Security Group (NSG) for your Microsoft Azure Function App:
az network nsg create
--name cc-function-app-nsg
--resource-group cloud-shell-storage-westeurope
--location westeurope
--query 'NewNSG.provisioningState'
05 The command output should return the NSG provisioning status:
06 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow inbound traffic from known, trusted IP addresses, on specific ports only:
az network nsg rule create
--name AllowHTTPSInbound
--nsg-name cc-function-app-nsg
--resource-group cloud-shell-storage-westeurope
--direction Inbound
--access Allow
--protocol Tcp
--priority 300
--source-address-prefixes 10.20.30.40/32
--destination-port-ranges 443
--destination-address-prefixes '*'
--description "Allow inbound traffic on TCP port 443 (HTTPS) only"
07 The command output should return the information available for the new NSG rule:
{
"access": "Allow",
"description": "Allow inbound traffic on TCP port 443 (HTTPS) only",
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationPortRange": "443",
"destinationPortRanges": [],
"direction": "Inbound",
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg/securityRules/AllowHTTPSInbound",
"name": "AllowHTTPSInbound",
"priority": 300,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"sourceAddressPrefix": "10.20.30.40/32",
"sourceAddressPrefixes": [],
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
08 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow outbound traffic to known, trusted IP addresses, on specific ports only:
az network nsg rule create
--name AllowHTTPSOutbound
--nsg-name cc-function-app-nsg
--resource-group cloud-shell-storage-westeurope
--direction Outbound
--access Allow
--protocol Tcp
--priority 500
--source-address-prefixes '*'
--destination-port-ranges 443
--destination-address-prefixes 10.20.30.40/32
--description "Allow outbound traffic on TCP port 443 (HTTPS) only"
09 The command output should return the information available for the new NSG rule:
{
"access": "Allow",
"description": "Allow outbound traffic on TCP port 443 (HTTPS) only",
"destinationAddressPrefix": "10.20.30.40/32",
"destinationAddressPrefixes": [],
"destinationPortRange": "443",
"destinationPortRanges": [],
"direction": "Outbound",
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg/securityRules/AllowHTTPSOutbound",
"name": "AllowHTTPSOutbound",
"priority": 500,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"sourceAddressPrefix": "*",
"sourceAddressPrefixes": [],
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
10 Run functionapp vnet-integration list command (Windows/macOS/Linux) with the name of the Azure Function App that you want to configure and the associated resource group as the identifier parameters to list the ID of the Virtual Network Integration subnet configured for the selected Function App:
az functionapp vnet-integration list
--name cc-main-function-app
--resource-group cloud-shell-storage-westeurope
--query '[*].vnetResourceId'
11 The command output should return the ID of the requested VNet resource:
[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
]
12 Run network vnet subnet update command (Windows/macOS/Linux) to associate the Network Security Group (NSG) created earlier in the Remediation process to the VNet subnet configured for your Function App using Virtual Network Integration:
az network vnet subnet update
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
--network-security-group cc-function-app-nsg
13 The command output should return the information available for configured VNet subnet:
{
"addressPrefix": "10.0.2.0/24",
"delegations": [
{
"actions": [
"Microsoft.Network/virtualNetworks/subnets/action"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001/delegations/delegation",
"name": "delegation",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"serviceName": "Microsoft.Web/serverfarms",
"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
}
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001",
"name": "project5-vnet-001",
"networkSecurityGroup": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg",
"resourceGroup": "cloud-shell-storage-westeurope"
},
"privateEndpointNetworkPolicies": "Disabled",
"privateLinkServiceNetworkPolicies": "Enabled",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"serviceAssociationLinks": [
{
"allowDelete": false,
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001/serviceAssociationLinks/AppServiceLink",
"link": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/serverfarms/ASP-cloudshellstoragewesteurope-aa14",
"linkedResourceType": "Microsoft.Web/serverfarms",
"locations": [],
"name": "AppServiceLink",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks"
}
],
"type": "Microsoft.Network/virtualNetworks/subnets"
}
14 Repeat steps no. 4 – 13 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.
15 Repeat steps no. 3 – 14 for each subscription created within your Microsoft Azure cloud account.