Azure Function Outboud TLS call via Azure Firewall - Can I use TLS Inscpection

GRAY Mike 161 Reputation points
2023-12-10T13:08:27.19+00:00

Hi,

I currently have 4 Functions Apps that I calling external 3rd party API endpoints to either push or pull data into development service. This is currently in development. I have recently been told by our Security Team that I need to pass this traffic via the Azure Firewall for outbound connectivity.

As the traffic is calling endpoints over https using TLS1.2 I have asked the question what is the benefit of doing this if the Firewall cannot assess the traffic. I know this will provide a central point to control access and what can be called via the Firewall.

The query I have is can I enable TLS Inspection on the Firewall for this Azure Function traffic. At present we do not deploy any certificates for this so if we need to achieve TLS Inspection where do i get the client certificates as these are 3rd parties that we just call. Also is TLS Inspection possible from an Azure Function and do I need to implement this.

All of the articles I have read always talk about the use of VM but just wanted to understand whether this is possible with Functions.

thanks

Mike

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,978 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Accepted answer
  1. TP 94,306 Reputation points
    2023-12-12T05:09:54.0733333+00:00

    Hi Mike,

    In addition to the information ChaitanyaNaykodi-MSFT already provided.

    Yes, it is possible, however, your function apps would need to run in App Service Environment (ASE). In order for Azure Firewall to do TLS inspection you need to add a certificate to the Trusted Root Store where your functions are running, and you can only do that with ASE.

    You should use ASE v3 since ASE v2 is retiring soon.

    Root CA on App Service

    https://azure.github.io/AppService/2021/06/22/Root-CA-on-App-Service-Guide.html

    App Service Environment overview

    https://video2.skills-academy.com/en-us/azure/app-service/environment/overview

    Please click Accept Answer and upvote if the above was helpful. If something is unclear please add a comment.

    Thanks.

    -TP

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
    2023-12-12T03:26:27.2633333+00:00

    @GRAY Mike

    Thank you for reaching out.

    I understand you wish to know if you can use the TLS inspection feature of Azure Firewall for the outbound calls from your Azure Function apps.

    I did some research internally and have seen that this architecture is possible and you can use the TLS inspection feature of Azure Firewall Premium for the outbound calls from your Azure Function apps.

    Following will be the summary of steps required:

    • Deploy an Azure Firewall Premium and route the outbound traffic from the Function App traffic to the Azure Firewall. Something like the tutorial here for the App Service (I could not find a tutorial specific to the Function App)
    • Follow the Steps here to enable TLS Inspection with Azure Firewall Premium Certification Auto-Generation and Add the newly created Root Certificate (in step 6) to the function app's trusted root store – To allow it to trust and connect through the AZFW. (Azure Firewall Premium Certification Auto-Generation is not recommended for production environment and you can follow this documentation to generate enterprise CA certificate)

    Azure Firewall Premium can intercept outbound HTTP/S traffic and auto-generate a server certificate for www.website.com. This certificate is generated using the Root certificate provided above. This way Azure Firewall will establish a TLS connection with your API server. The traffic flow will be as shown below

    User's image

    Please let me know if you have any question related to Azure Firewall TLS inspection and Certificates, I also highly recommend that you go through this TLS Inspection By Azure Firewall Video by Microsoft Security team.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.