1

We have multiple functions inside Azure Functions, some of them are used by webpage hosted on blob storage.

I want functions used by webpage (blob storage) to restrict call, so they can be called only by webpage and not anyone else. Is something like this possible?

I found option to restrict access by IP but the webpage will have different IP almost at any computer, so this option doesn't seem like a good solution.

Good solution would be to restrict call of function from domain name, but there is no option in Azure for that.

Someone has other ideas?

HardRock
  • 809
  • 2
  • 12
  • 37
  • Since your blob based website is hosted on some site, you can use CORS to enable your website only to call the API. The given answer will work perfectly – Anirudha Gupta Sep 05 '21 at 02:54

1 Answers1

1

You can achieve this in 2 ways :

1. The quick and easy inexpensive way if you have a small set of functions in the function app

You can achive this by enabling CORS in your function app and specifying the list of domains that can access your function app (along with it's functions).

Steps to do this :

  1. Go to your function app resource in Azure
  2. select CORS under the API menu
  3. Check the checkbox that gives you the option to "Enable Access-Control-Allow-Credentials"
  4. Specify the domain or list of domains you want to enable access to
  5. Save

Cross-Origin Resource Sharing (CORS) allows JavaScript code running in a browser on an external host to interact with your backend. Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.

enter image description here

2. The more secure way if you have more budget and your functions are part of a large Enterprise application

  1. Deploy a new Azure API Management Instance in front of your function app. (https://learn.microsoft.com/en-us/azure/api-management/import-function-app-as-api)

  2. Secure Access restrictions for your function app using the APIM service tag to allow access only from APIM and deny all other traffic (read more here : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)

enter image description here

  1. Once you complete Step 1 and 2, your function app cannot be directly accessed. You (or anyone else for that matter) can only access it through APIM using a subscription key. (info : https://learn.microsoft.com/en-us/learn/modules/publish-manage-apis-with-azure-api-management https://learn.microsoft.com/en-us/learn/modules/control-authentication-with-apim/)

  2. Enable CORS in APIM (https://learn.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies#CORS)

As you can see the APIM gives you an additional layer of protection, where you restrict by domain and in addition to that only allow requests that provide a subscription key access to your function. You can revoke and regenerate these keys anytime which makes sure malicious users cannot access your function app. You can also configure things like rate-limiting to prevent DDOS attacks.

PS : reckon you would find this answer interesting as well. CORS can be spoofed by a malicious user. But securing your function app behind an APIM instance will give you greater security. Depends on what level of security you aspire to have for your app vs your budget - What's to stop malicious code from spoofing the "Origin" header to exploit CORS?

You can follow Azure's APIM security baseline recommendations to secure your functionapp further via APIM : https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline

Rimaz Mohommed
  • 1,176
  • 10
  • 16
  • Note that CORS can only restrict other web apps from calling your functions, because browsers will respect CORS. However, this is easy to bypass and other types of apps like mobile and desktop apps can still call those functions. – Anthony Chu Sep 05 '21 at 02:26
  • @AnthonyChu : Exactly what I have mentioned here. Depends what level of security he aspires to have and whether he has the budget to secure his functionapp behind an APIM instance. https://stackoverflow.com/questions/21058183/whats-to-stop-malicious-code-from-spoofing-the-origin-header-to-exploit-cors – Rimaz Mohommed Sep 05 '21 at 02:39
  • Unfortunately requiring an APIM key isn’t necessarily secure either, because typically you embed the key in your web app (or other types of clients like mobile and desktop apps). The key can be extracted and used to call the API. My concern is that the options in this answer are presented as secure but they are not. – Anthony Chu Sep 05 '21 at 02:56
  • Agree with your concerns. I've never stated that the two methods of securing the function app are completely foolproof. I've only said the 2nd option is a better one to consider as it is "more secure" since "You can revoke and regenerate these keys anytime which makes sure malicious users cannot access your function app. You can also configure things like rate-limiting to prevent DDOS attacks." – Rimaz Mohommed Sep 05 '21 at 03:17
  • You can follow Azure's APIM security baseline recommendations to improve security further : https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline – Rimaz Mohommed Sep 05 '21 at 03:19