Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Network Security Groups for Azure Function Apps

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Function Apps are configured to use Network Security Groups (NSGs). NSGs provide an additional layer of security for Azure Function Apps by controlling network traffic. This helps to protect your functions from unauthorized access and potential attacks by limiting inbound and outbound connections.

Security

Using Network Security Groups to control traffic to and from Azure Function Apps is important for the following reasons:


Overall, Network Security Groups (NSGs) provide robust protection for your Azure Function Apps by effectively shielding them from unauthorized access and malicious attacks.

Audit

To determine if your Azure Function Apps are configured to use Network Security Groups (NSGs), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

07 In the Outbound traffic configuration section, under Integration subnet configuration, check the Network security group attribute value to identify the name of the Network Security Group configured for the selected Function App. If the Network security group value is N/A, Virtual Network Integration is not enabled for your Azure Function App. If the Network security group value is Not configured, the selected Microsoft Azure Function App is not configured to use Network Security Groups (NSGs).

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription:

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names:

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp vnet-integration list command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and the associated resource group as the identifier parameters to list the ID of the Virtual Network Integration subnet configured for the selected Function App:

az functionapp vnet-integration list
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query '[*].vnetResourceId'

07 The functionapp vnet-integration list command output should return the ID of the requested VNet resource. If the command output returns an empty array (i.e. []), Virtual Network Integration is not enabled for your Azure Function App, therefore, the Audit process ends here. Otherwise, you can continue the Audit with the next step:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
]

08 Run resource show command (Windows/macOS/Linux) to describe the Network Security Group (NSG) configured for the Virtual Network Integration instance associated with your Azure Function App:

az resource show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
  --query '{"NetworkSecurityGroup":properties.networkSecurityGroup}'

09 The command output should return the requested NSG configuration information:

{
	"NetworkSecurityGroup": null
}

If the resource show command output returns null for the "NetworkSecurityGroup" configuration attribute, as shown in the output example above, the selected Microsoft Azure Function App is not configured to use Network Security Groups (NSGs).

10 Repeat steps no. 6 - 9 for each Azure Function App available within the current Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure Network Security Groups (NSGs) for your Microsoft Azure Function Apps, perform the following operations:

To be able to control network traffic with Network Security Groups, Virtual Network Integration must be enabled for your Azure Function Apps. Virtual Network (VNet) Integration allows Function Apps to securely access resources within a private virtual network, such as databases or storage accounts, by connecting to the VNet. This integration provides enhanced security by isolating traffic and enabling the use of private endpoints within Azure cloud. This guide assumes that Virtual Network Integration is enabled for your Azure Function Apps.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network security groups blade available at https://portal.azure.com/#browse/Microsoft.Network%2FNetworkSecurityGroups.

03 Choose Create and perform the following actions to create a new Network Security Group (NSG) for your Azure Function App:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the Network Security Group in the Name box.
    4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
    5. Choose Next : Tags > to continue the setup.
  2. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the NSG setup.
  3. For Review + create, review the resource configuration details, then choose Create to create your new Network Security Group (NSG).

04 Once your new Network Security Group (NSG) is available, select Go to resource to access your new NSG resource.

05 In the navigation panel, under Settings, choose Inbound security rules, select Add, and perform the following actions to create a new inbound rule:

  1. For Source choose IP Addresses to allow inbound traffic from specified IP addresses only.
  2. For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the resource associated with the selected Network Security Group. You can also provide a comma-separated list of IP addresses or address ranges.
  3. For Destination port ranges, provide a single port such as 443 (HTTPS) or a comma-separated list of single ports such as 80 (HTTP) and 443 (HTTPS). This specifies on which port(s) the inbound traffic will be allowed by the selected NSG rule.
  4. For Protocol, select the appropriate network protocol (e.g. TCP).
  5. Make sure that Action is set to Allow.
  6. For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
  7. Provide a unique name for the inbound rule in the Name box.
  8. Choose Add to create your new NSG inbound rule.

06 In the navigation panel, under Settings, choose Outbound security rules, select Add, and perform the following operations to create a new outbound rule:

  1. For Destination choose IP Addresses to allow outbound traffic to specified IP addresses only.
  2. For Destination IP addresses/CIDR ranges, provide the IP address, IP addresses or IP address ranges for the outgoing traffic, allowed by this rule.
  3. For Destination port ranges, provide a single port such as 443 (HTTPS) or a comma-separated list of single ports such as 80 (HTTP) and 443 (HTTPS). This specifies on which port(s) the outbound traffic will be allowed by the selected NSG rule.
  4. For Protocol, select the appropriate network protocol (e.g. TCP).
  5. Make sure that Action is set to Allow.
  6. For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
  7. Provide a unique name for the outbound rule in the Name box.
  8. Choose Add to create your new NSG outbound rule.

07 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

08 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

09 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

10 Click on the name (link) of the Azure Function App that you want to configure.

11 In the resource navigation panel, under Settings, select Networking to access the networking settings available for the selected Function App.

12 In the Outbound traffic configuration section, click on the name (link) of the Virtual Network Integration instance, listed next to Virtual network integration, and perform the following actions:

  1. Under Virtual network routing, choose Configure next to Network security group.
  2. Select the Network Security Group (NSG) created earlier in the Remediation process from the Network security group dropdown list.
  3. Choose Save to apply the changes.

13 Repeat steps no. 5 – 9 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

14 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nsg create command (Windows/macOS/Linux) to create a new Network Security Group (NSG) for your Microsoft Azure Function App:

az network nsg create
  --name cc-function-app-nsg
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --query 'NewNSG.provisioningState'

05 The command output should return the NSG provisioning status:

"Succeeded"

06 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow inbound traffic from known, trusted IP addresses, on specific ports only:

az network nsg rule create
  --name AllowHTTPSInbound
  --nsg-name cc-function-app-nsg
  --resource-group cloud-shell-storage-westeurope
  --direction Inbound
  --access Allow
  --protocol Tcp
  --priority 300
  --source-address-prefixes 10.20.30.40/32
  --destination-port-ranges 443
  --destination-address-prefixes '*'
  --description "Allow inbound traffic on TCP port 443 (HTTPS) only"

07 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow inbound traffic on TCP port 443 (HTTPS) only",
	"destinationAddressPrefix": "*",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "443",
	"destinationPortRanges": [],
	"direction": "Inbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg/securityRules/AllowHTTPSInbound",
	"name": "AllowHTTPSInbound",
	"priority": 300,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "10.20.30.40/32",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

08 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow outbound traffic to known, trusted IP addresses, on specific ports only:

az network nsg rule create
  --name AllowHTTPSOutbound
  --nsg-name cc-function-app-nsg
  --resource-group cloud-shell-storage-westeurope
  --direction Outbound
  --access Allow
  --protocol Tcp
  --priority 500
  --source-address-prefixes '*'
  --destination-port-ranges 443
  --destination-address-prefixes 10.20.30.40/32
  --description "Allow outbound traffic on TCP port 443 (HTTPS) only"

09 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow outbound traffic on TCP port 443 (HTTPS) only",
	"destinationAddressPrefix": "10.20.30.40/32",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "443",
	"destinationPortRanges": [],
	"direction": "Outbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg/securityRules/AllowHTTPSOutbound",
	"name": "AllowHTTPSOutbound",
	"priority": 500,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "*",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

10 Run functionapp vnet-integration list command (Windows/macOS/Linux) with the name of the Azure Function App that you want to configure and the associated resource group as the identifier parameters to list the ID of the Virtual Network Integration subnet configured for the selected Function App:

az functionapp vnet-integration list
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query '[*].vnetResourceId'

11 The command output should return the ID of the requested VNet resource:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
]

12 Run network vnet subnet update command (Windows/macOS/Linux) to associate the Network Security Group (NSG) created earlier in the Remediation process to the VNet subnet configured for your Function App using Virtual Network Integration:

az network vnet subnet update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001"
  --network-security-group cc-function-app-nsg

13 The command output should return the information available for configured VNet subnet:

{
	"addressPrefix": "10.0.2.0/24",
	"delegations": [
		{
			"actions": [
				"Microsoft.Network/virtualNetworks/subnets/action"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001/delegations/delegation",
			"name": "delegation",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"serviceName": "Microsoft.Web/serverfarms",
			"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
		}
	],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001",
	"name": "project5-vnet-001",
	"networkSecurityGroup": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-function-app-nsg",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"serviceAssociationLinks": [
		{
			"allowDelete": false,
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/project5-vnet-001/serviceAssociationLinks/AppServiceLink",
			"link": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/serverfarms/ASP-cloudshellstoragewesteurope-aa14",
			"linkedResourceType": "Microsoft.Web/serverfarms",
			"locations": [],
			"name": "AppServiceLink",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks"
		}
	],
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

14 Repeat steps no. 4 – 13 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

15 Repeat steps no. 3 – 14 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023