使Azure函数不能公开访问吗? [英] Make Azure Functions not publicly accessible?

问题描述

目前，我的功能可以公开访问.有没有一种方法可以使它们只能通过其他方式(例如API网关)访问，而不能直接访问?我尝试通过网络"刀片添加VNET，但我认为这没有做任何事情(我仍然可以公开调用这些函数)...我认为这样做是为了使这些函数可以访问专用网络上的资源.我没有在设置中看到任何将IP设为私有的选项.我对网络相关问题不是很精通，如果不清楚，我深表歉意.

Currently my functions are accessible publicly. Is there a way to make it so that they can only be accessed via something else, like an API gateway, and not directly? I tried adding a VNET via the "networking" blade but I don't think that did anything (I could still call the functions publicly)...I think that just makes it so the functions could access resources on a private network. I didn't see any options in the settings to make the IP private. I'm not very well versed in networking related issues, so apologies if I'm being unclear.

推荐答案

The built-in keys support is meant to provide an option for this. You can require all requests to include an API key which is only shared with resources you care about. In fact, all HTTP-triggered functions require a key by default. You would have to explicitly choose to remove this requirement.

密钥不是网络解决方案，如果您泄漏密钥，则有人可以访问您的API(直到您滚动密钥).您是正确的，VNet支持是点对站点的，这意味着它可以访问资源，但是功能应用程序本身不受保护.一个应用程序服务环境可以解决这个问题，尽管Kai对原始问题的评论是正确的-ASE尚不适用于Function.

Keys aren't a networking solution though, and if you leak the keys, someone could access your APIs (until you roll the keys). You are correct that the VNet support is point-to-site, meaning it can access resources, but the function app is not protected itself. An App Service Environment would solve that, although Kai's comment on the original question is correct - ASE is not yet available for Functions.

除了密钥，您还可以使用应用服务身份验证/授权以要求AAD服务主体.实际上，这就像一把钥匙，但是如果您要在AAD中建模其他实体，则还有其他好处.不过，除非您知道您需要此键，否则我会坚持使用键.

In addition to keys, you could look at using App Service Authentication / Authorization to require an AAD service principal. This is effectively like a key, but has additional benefits if you are modeling other entities in AAD. Unless you know you need this, though, I would stick with keys.

这篇关于使Azure函数不能公开访问吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！