0

I have an Azure Static Web App developed using Angular (let's say my company homepage) which needs to be publicly accessible w/o authentication. If I wanted some dynamic content on the home page which comes from a database (i.e. news items or a product list), are there any ways to "secure" an Azure Function endpoint that supplies this data to the front end.

"secure" == I'd like to limit access of the endpoint to just my Azure Static Web App.

I'd also like to set up a function that listens for IPN requests from PayPal and so I'd like to configure that function to only be accessible from PayPal.

I see that I can configure CORS to only allow specific domains access to a function -- is this my best option?

Engine Room
  • 53
  • 7

1 Answers1

1

There are two ways to look at it,

(i) Azure has APIM Service which allows to secure certain endpoints and is probably the best way how to handle Azure Functions endpoints for public.

(ii) You can also secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function or you can build functions inside a vnet using the azure environment service.

You can read more about Securing Azure Functions here

Sajeetharan
  • 216,225
  • 63
  • 350
  • 396
  • Thank you for the response! For (i), which features of the APIM Service would you suggest? I've looked at some APIM options but they all seem to require API keys/tokens or interactive authentication -- none of which seem ideal for an Azure Static Web App accessible to the public. I don't think embedding an API key in my client app would be a good idea. Your option ii makes sense and I will definitely look at the Application Gateway feature. – Engine Room Jun 10 '21 at 14:30
  • You can still setup basic authentication to your function and setup with APIM. Yeah 2nd option makes more sense here and remember it will be costly – Sajeetharan Jun 11 '21 at 06:03