Deploying To IP Restricted Azure Function Apps Using GitHub Actions
Posted Updated GitHub / Actions7 minutes read (About 1082 words)

Deploying To IP Restricted Azure Function Apps Using GitHub Actions

In the previous post we blocked our function app to be available only to the APIM via ip restrictions.

This secures our function app and it isn’t available publicly, any one that tries to access our function app url will get “HTTP 403 Forbidden”.

This secures our function app; now what about deploying code changes to the function app via GitHub Actions? we should be able to CI/CD to our function app, but there is a problem here. The GitHub action will fail with the same “HTTP 403 Forbidden”, this is because GitHub actions run on runners (its a hosted virtual environment), each time we run the Action we get a new runner and it can have a different ip address. So how can we get around this? do we white list the entire GitHub ip range?

GitHub’s ip ranges can change any time, so will have to keep scanning for changes to these ranges and proactively update our ip restrictions, this is not very scalable or practical. So what are other ways of getting around this? we have a couple of ways to get around this.

Possible Solutions

There are two viable solutions here

Read more
Securing Azure Functions and Logic Apps
Posted Updated Azure / Function Apps / Security4 minutes read (About 672 words)

Securing Azure Functions and Logic Apps

Here is a scenario that I recently encountered. Imagine we are building micro-services using serverless (a mix on Azure Function Apps and Logic Apps) with APIM in the front. Lets say we went with the APIM standard instance and all the logic and function apps are going to be running on consumption plan (for cost reasons as its cheaper). This means we wont be getting any vnet capability and our function and logic apps will be exposed out to the world (remember to get vnet with APIM we have to go with the premium version, we are going APIM standard here for cost saving reasons).

So how do we restrict our function and logic apps to only go through the APIM, in another words all our function and logic apps must only go through the APIM and if anyone tries to access them directly they should be getting a “HTTP 403 Forbidden”.

Lets visualize this scenario; We have some WAF capable ingress endpoint, in this case its Azure Front Door, that is forwarding traffic to APIM which then sends the requests to the serverless apps.
Reason for having Front Door before APIM is because APIM doesn’t have WAF natively so we will need to put something in front of it that has that capability to be secure.

There are few options like Azure Firewall, Application Gateway etc, but for the purposes of this scenario we have Azure Front Door in front of APIM (and we can have an APIM policy that will only accept traffic from Azure Font Door, we wont be going in to that, we will keep it to securing our function apps to just being available via APIM for today)

Read more
Follow

Categories

Archives

follow.it

Please enter your email address to get updates when new articles are published

Recents

Tags

.NET1
AGIC1
AKS1
Application Gateway1
Azure8
Azure App Service2
Azure Blob Storage2
Azure CLI1
Azure Container Apps1
Azure Dev Test Labs1
Azure Logic Apps1
Azure Policy1
Blog1
CI/CD2
Containers1
Developer Environments1
Docker1
DotNet1
Function Apps3
GZip1
GitHub2
Hexo1
IP Restrictions2
Ingress1
Kubernetes1
Personal1
PowerShell1
Security2
Serverless2
Single Threaded Apps1
Tar1
×