Unable to restrict calls to Azure function app

0
votes

I have setup Azure function app behind APIM (internal Vnet). I want to setup this in such a way that only calls from APIM will be picked by Functionapp and nothing else.

For the Function app its under premium plan automatically generates public Url that could be called from internet. As per the MS documentation, when I integrate with VNet, inbound policies in NSG for that functionapp subnet dont apply. All it does, allow Functionapp to talk to resources inside VNet. So, the alternative is to use the IP whitelisting through which I could control who are allowed to call the Functionapp.

Problem is my APIM is internal, which means there is no Public IP assigned to it. So, in my scenario is there a way in which I could restrict incoming calls into Functionapp only from APIM (internal)?

Similar issue with Azure App services (Webapi or Webapp).

1
azure-functionsazure-api-management
you should be able to use Access Restrictions (IP whitelisting) and there select VNET and the subnet of your APIM - silent
@silent as I mentioned in my question, there is no public IP for the APIM. So, how can I do the IP whitelisting? Also, reg VNet integration, my FA is already Vnet integrated so the subnet where APIM is currently in. However, my question is how can I allow only APIM to send requests not from anyother source. - Sai
Yes, because in the whitelisting selection, when you select VNET, you will select a subnet, not an (public) IP. have you actually tried it out? - silent
@silent thanks, I see the option to select the Subnet and it worked. Thanks for your inputs. - Sai
glad to hear it. I'll make an answer out of it - silent

1 Answers

1
votes

You can use the Access Restriction feature (IP white listing) for this. Instead of putting in a fixed (public) IP range, you can also select "VNET". This enables you to select a certain VNET and subnet (using service endpoints) to restrict the traffic to come only from a certain VNET that you control.