0

We have a website deployed on azure web app, sharing the same app service plan with function app. The website just has two HTML pages within it has a button click to call json service exposed by function app. Since it is plain HTML just embedding JavaScript to carry out the json call.

Question is how to restrict access to the function app so it can only get called within the HTML pages?

Thanks

TOMMY WANG
  • 1,382
  • 3
  • 16
  • 39
  • 1
    if you don't want to store the code (or API key value) in the client, you should probably pass through app service authentication. This link is related to Xamarin, but you may find it helpful: https://stackoverflow.com/questions/41625541/how-to-safely-call-azure-function-with-function-level-authorization-in-xamarin-m – Horia Toma Mar 20 '18 at 14:12
  • @HoriaToma is correct, do not embed api keys in client code (HTML). – rjbez Mar 21 '18 at 17:50

2 Answers2

0

Assuming you have set up a HttpTrigger function, you can set the authorization level to: Function, which will require a function key to be passed for every invocation. You can store the function key in your web app as an application setting.

Pragna Gopa
  • 726
  • 3
  • 10
  • 1
    This isn't really that secure though since the HTML page would basically have the key in plaintext and therefore exposing it to everyone. – rjbez Mar 21 '18 at 17:47
0

Question is how to restrict access to the function app so it can only get called within the HTML pages?

If you want to protect the azure function, you could do that as Pragna Gopa mentioned to set the authorization level to: Function. Then need to require a function key to call the azure function.

We also could do that with IP Restrictions, we could get the WebApp outbound IP from WebApp properties.

enter image description here

enter image description here

Tom Sun - MSFT
  • 24,161
  • 3
  • 30
  • 47