4

I'm building a very lightweight API using Azure Functions, one thing I'm concerned about is abuse of the functions. What's to stop someone hammering a single method and causing my costs to escalate? Are there any ways I can blacklist IP address' if they start acting suspicious?

I have a last resort of looking up the IP in Table Storage, but I'd ideally like to block the IP before it even makes it to the function, is this possible? (Programatically)

Nick.

Janusz Nowak
  • 2,595
  • 1
  • 17
  • 36
Nick
  • 1,015
  • 12
  • 31

1 Answers1

8

In the Consumption plan, you're only billed for the time your function code actually runs. For HTTP triggered functions (or WebHooks) that won't include any time taken to receive or authorize a request and dispatch it to your code.

Assuming your function is secured (i.e. authLevel is not anonymous) only authorized requests can invoke it, so unauthorized requests won't incur you any executions.

mathewc
  • 13,312
  • 2
  • 45
  • 53
  • Thanks for the information. With that said, if I'm authorising an app, then all users will have the same credentials right? And my client ID and secret will be in the app, so if someone gets the credentials out, which won't be difficult with a Windows 10 app, they will be able to use the credentials outside of the app, resulting in me having to revoke those credentials and kill it for everyone? – Nick Dec 14 '16 at 20:29
  • My primary concern is the account creation API that will ultimately send an email through send grid, as there's no way to differentiate a user from those credentials, I'm still going to have to roll some kind of IP throttling right? – Nick Dec 14 '16 at 20:29
  • I've just taken a look at the auth option, so I think I'm happy with what's available there. I'll use Facebook then block individual users if they abuse the system. Thanks for your help. – Nick Dec 14 '16 at 20:41