sample code for publish and consume rapid event flow
When using serverless compute, we need to reflect on the multiple attack vectors, code vulnerabilities. To ensure no public end-point are exposed, there are few options to deploy a function app, however in this repository, these more restrictive and more secured topologies are not covered. The reason is cost. This repo will showcase a very slim security posture.
Using two function apps, and two distinct plans, the reason is IP filtering is set on the plan level. In our case there are two types of restrictions, the publisher, origin is known, it will either be connected through a VPN or ExpressRoute, or specific set of IPs, while the consuming applications origin is unknown. The internet facing function app, should have IP restriction of the WAF only. The internal facing function app, should have only the IP(s) of the on-prem, or specific hosted assets.
Restricting traffic via IP configuration - see documentation further more, to avoid attack which will lead to high compute load (and cost) we can limit the concurrency of the functions using the host.json:
"extensions": {
"http": {
"routePrefix": "api",
"maxOutstandingRequests": 200,
"maxConcurrentRequests": 1,
"dynamicThrottlesEnabled": true
}
}Your local settings would have at least these elements:
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "<your storage connection string>",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"REDIS_CONN": "<your redis connection string>",
"DEFAULT_TTL": "60"
}
}Azure Function scale and restrictions see documentation
WAF will provides centralized protection of your web applications from common exploits and vulnerabilities. Deploy a WAF as explained in this document
Azure Front Door see documentation
APIM & APG - please see blog-post for more information on how the integration between the two products can increase your control over the exposed APIs.
Please see this blog-post for information limiting throughput and scalability of a Azure Functions.