Restrict Azure function to access storage account and Key vault

Nandhini Balasubramanian 20

I have a Azure functions that sends SMS's and redirects call using Twilio messaging service. It does not use any Storage account, uses only Azure key vault. How to restrict public access to a storage account and allow only the Azure functions to access it. Also impose the same restrictions to Azure key vaults as well. These app are on Consumption plan. Kindly advice.

Accepted answer

Vinodh247 18,101 Reputation points

2024-08-30T05:21:25.12+00:00
Hi Nandhini Balasubramanian,

Thanks for reaching out to Microsoft Q&A.

Since your Azure Function is on a consumption plan and doesn’t directly use the storage account, lets try on how to restrict public access:

Restrict Public Access to Storage Account

Disable Public Access on Storage Account

Use Managed Identity for Azure Functions

Assign MI to Azure Function

Assign Storage Account Role to MI

Restrict Public Access to Azure KV

Use Virtual Network Service Endpoints or Private Endpoint

Since your function app is on the Consumption plan, you can't use VNet integration, but you can still restrict access

Use MI for Azure Functions:

Ensure Azure Function Can Still Access Resources

After restricting public access, your Azure Function (through its mi) will be able to access the storage account and KV securely. This configuration prevents unauthorized access and secures your resources.

Note:

Make sure that your MI has the correct roles assigned both for the Storage account and the KV.

The above steps will help you to make sure that only your Azure Function can access the storage account and KV, while blocking public access.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Nandhini Balasubramanian 20 Reputation points

2024-09-02T00:12:11.4266667+00:00

Hi @Vinodh247 ,

Thanks for your response.

I am not able to set MI to Azure Function as it is being used as a webhoook in Twilio console. It uses Twilio API key and X-Twilio-Signature HTTP header to do a two-factor authentication. Can we use the system assigned MI instead?

Is there an alternate solution that would enable me to ensure only my Azure Functions can access the storage account and KV, while blocking public access.

Thanks
Please sign in to rate this answer.
Vinodh247 18,101 Reputation points

2024-09-02T05:17:15.9766667+00:00

In that case, I would request you to go through the following options and see if any one of this might help. Pls note all these are suggestions but doesnt seem to have tried practically to see how it works. Hence request you to validate and then use this as a pointer for your issue to be fixed.

If you cannot use a MI for auth, you can still restrict access by allowing only the azure function’s outbound IP addresses.

Use Azure Function’s Outbound IP Addresses

a. Restrict Access to the Storage Account

Get Azure Function Outbound IP Addresses:

Under "Settings" in azure function, select Properties.

Note the Outbound IP addresses and Possible Outbound IP Addresses.

Configure Storage Account Firewall:

Go to your Storage Account in the Azure portal.

Under "Networking", select Firewalls and virtual networks.

Set Allow public access from all networks to Selected networks.

Add the outbound IP addresses of your Azure Function to the allowed IP addresses list.

b. Restrict Access to the Azure KV

Configure Key Vault Firewall:

Under Networking, select Firewalls and virtual networks.

Set Allow public access from all networks to Selected networks.

Add the outbound IP addresses of your Azure Function to the allowed IP addresses list.

Use Azure API Management as a Gateway (Optional)

To further enhance security, you can place an APIM in front of your Azure Function. APIM can enforce additional security policies, including IP filtering, rate limiting, and more.

Set Up APIM:

Deploy APIM in front of your Azure Function.

Configure APIM to allow only traffic from specific IP addresses or regions.

Redirect Twilio webhook traffic through APIM.

Integrate APIM with Storage Account and Key Vault:

Add APIM’s IP addresses to the allowed IP addresses list in your Storage Account and Key Vault firewalls.

Secure Azure Key Vault with Access Policies

Ensure that your KV access policies are set to allow access only to the Azure Function (using its specific IP addresses, as mentioned above) and restrict access to other resources.

Enable Private Endpoints (If Possible)

Although this option is more complex, you could use Private Endpoints for both the Storage Account and KV to ensure that access is restricted to resources within the same virtual network. This might require switching to a different hosting plan for your Azure Function.

Nandhini Balasubramanian 20 Reputation points

2024-09-03T06:43:46.6266667+00:00

Thanks @Vinodh247 for your suggestions. I am using the outbound IP address to whitelist the access to my Storage account and key vault.

The Defender for cloud however is showing a few recommendations. Should all those be remediated? or is it based on my application set up.

For instance my function app does not use a client certificate because For typical integrations with the Twilio Messaging API, client certificates may not be required. Standard authentication methods like API keys and Basic Authentication, along with 2FA for managing access, provide robust security. Twilio uses an X-Twilio-Signature header to sign its webhook requests. My Azure App currently verifies this signature, ensuring that the request is genuinely from Twilio.

Kindly suggest.

Vinodh247 18,101 Reputation points

2024-09-04T05:06:16.28+00:00

The Defender for cloud however is showing a few recommendations. Should all those be remediated? or is it based on my application set up.

They may or may not be necessary depending on your specific app setup and req. Though I have tried to summarise in a generic way for all the recommendations that your screenshot had, the decision to remediate these recommendations should be based on your app's specific security requirements and the feasibility of implementing these measures.

Storage account should use a private link connection (Medium Severity):

If you can implement a Private Endpoint, it's a more secure option. However, since your current setup uses IP whitelisting, and you're on a Consumption plan for your Azure Function, it may be challenging to implement Private Link. If your security requirements allow it, continuing with IP whitelisting might suffice.

Function apps should have Client Certificates (Incoming client certificates) enabled (Medium):

As you mentioned, your Function App relies on Twilio’s X-Twilio-Signature for auth, which is a valid and secure method for your use case. Enabling client certificates is not necessary unless you have a specific requirement for additional security layers.

Storage accounts should restrict network access using virtual network rules (Medium):

If you are already using IP address whitelisting effectively, this recommendation can be considered but isn't mandatory. For higher security, you could explore using Virtual Network Service Endpoints if supported in your environment.

Diagnostic logs in Key Vault should be enabled (Low):

It’s generally a good practice to enable logging for auditing and compliance, especially for sensitive resources like Key Vault. It’s a low-effort, high-value security improvement.

Firewall should be enabled on KeyVault (Medium):

Since you’re already using IP whitelisting, enabling the fw is aligned with your current setup and will further enhance security.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Restrict Azure function to access storage account and Key vault

1 additional answer

Your answer