0

We are building a number of Azure Function Apps, each function app by default has its own IP white list.

We have multiple third parties that will consume these function apps. Each third party will likely have multiple IP addresses. Some function apps may be consumed by all third parties, other by one but not another, etc.

We would like a central way of managing this. We have a Powershell that we've used in the past to maintain the IP address, but was wondering if there was a better solution - perhaps are some templates built into Azure itself?

This must be a fairly common problem, does anyone have any suggestions please?

Jay
  • 878
  • 3
  • 12
  • 22
  • Hi Jay, is there any update for this issue? Please check if answers below help to resolve that. Just a reminder :) – LoLance Feb 11 '20 at 08:28

2 Answers2

1

You can use Microsoft.Web/sites/config ARM object. You can deploy config object on top of your existing functions or include it in ARM definition of a complete functionApp template. In that way you can centrally manage IP rules and version control them. With PowerShell, you can orchestrate ARM deployments of IP rules based on your criteria.

https://learn.microsoft.com/en-us/azure/templates/microsoft.web/2018-11-01/sites/config

{
    "type": "Microsoft.Web/sites/config",
    "apiVersion": "2018-11-01",
    "name": "[concat(variables('functionName'), '/web')]",
    "location": "East US",
    "dependsOn": [
      "[resourceId('Microsoft.Web/sites', variables('functionName'))]"
    ],
    "properties": {
      "ipSecurityRestrictions": [
        {
          "ipAddress": "00.00.00.00/00",
          "action": "Allow",
          "tag": "Default",
          "priority": 1000,
          "name": "Rule 1"
        },
        {
          "ipAddress": "00.00.00.00/00",
          "action": "Allow",
          "tag": "Default",
          "priority": 2000,
          "name": "Rule 2"
        },
        {
          "ipAddress": "Any",
          "action": "Deny",
          "priority": 2147483647,
          "name": "Deny all",
          "description": "Deny all access"
        }
      ]
    }
  }
user2761155
  • 66
  • 5
0

The main problem is that IP-addresses can change quite often. I prefer to control this by subscription keys per client or / per client and API.

To do that, you can add an API Management (API Gateway Pattern) in front of your API's. You can also keep controlling per IP address using API Management, but I would say the api key is a good practice.

more info:

https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#RestrictCallerIPs

https://microservices.io/patterns/apigateway.html

Thiago Custodio
  • 17,332
  • 6
  • 45
  • 90