Restricting Access to App Services and Function Apps

Restrict By Function

Restriction by function works well since it gives you granular control over functions. An appropriate application would be giving the key to other applications, and then having those applications use the key to access.

There are three levels to restrict a function:

  • Anonymous – no restrictions
  • Function – restricted by an individual function key
  • Admin – uses the admin key defined in the function app

When calling the function, there are two ways to do so, using either a query string:

https://networking-test-fa.azurewebsites.net/api/HttpTrigger1?code=YOUR_CODE

Or using the x-functions-key header.

Restrict by Application

Restrict By IP

For Azure App Services and Function Apps, you can restrict access to them based on IP address – useful for building internal applications with limited access.

First, click Networking on the left sidebar, then open the Access Restrictions page.

From here, you can add and remove IP addresses for both the App service/Function App and the SCM page. If no IP addresses are listed, then access is open for all.

Any invalid IP addresses at this point will receive a 403:

If you need a list of the IPs trying to access the application, you can access:

  • App Service: Diagnose and solve problems -> Availabilty and Performance -> HTTP 4xx Errors
  • Function App: Diagnose and solve problems -> HTTP 4xx Errors -> HTTP 4xx Errors

Once here, scroll to the bottom of the page and expand Which client IPs got rejected due to IP restriction?:

App Service Authentication

App Service Authentication works well when working with an application that is accessed by a browser (so not an API). Note that without authentication, you’ll need to login before accessing the app at all.

First, turn on App Service Authentication:

For setting up the source, setting up Azure Active Directory allows for using users inside the tenant for access. Useful for setting up an internal application.

Leave a Reply

Your email address will not be published. Required fields are marked *