使 Azure Functions 无法公开访问? [英] Make Azure Functions not publicly accessible?
问题描述
目前我的功能可以公开访问.有没有办法让它们只能通过其他东西访问,比如 API 网关,而不是直接访问?我尝试通过网络"刀片添加 VNET,但我认为这没有任何作用(我仍然可以公开调用这些函数)......我认为这只是为了让这些函数可以访问专用网络上的资源.我没有在设置中看到任何将 IP 设为私有的选项.我对网络相关问题不是很精通,如果我不清楚,请道歉.
Currently my functions are accessible publicly. Is there a way to make it so that they can only be accessed via something else, like an API gateway, and not directly? I tried adding a VNET via the "networking" blade but I don't think that did anything (I could still call the functions publicly)...I think that just makes it so the functions could access resources on a private network. I didn't see any options in the settings to make the IP private. I'm not very well versed in networking related issues, so apologies if I'm being unclear.
推荐答案
内置键支持 旨在为此提供一个选项.您可以要求所有请求都包含一个 API 密钥,该密钥仅与您关心的资源共享.事实上,所有 HTTP 触发的函数默认都需要一个键.您必须明确选择删除此要求.
The built-in keys support is meant to provide an option for this. You can require all requests to include an API key which is only shared with resources you care about. In fact, all HTTP-triggered functions require a key by default. You would have to explicitly choose to remove this requirement.
虽然密钥不是网络解决方案,但如果您泄露密钥,有人可能会访问您的 API(直到您滚动密钥).VNet 支持是点到站点的,这意味着它可以访问资源是正确的,但函数应用程序本身不受保护.应用服务环境可以解决这个问题,尽管 Kai 对原始问题的评论是正确的 - ASE 尚不适用于函数.
Keys aren't a networking solution though, and if you leak the keys, someone could access your APIs (until you roll the keys). You are correct that the VNet support is point-to-site, meaning it can access resources, but the function app is not protected itself. An App Service Environment would solve that, although Kai's comment on the original question is correct - ASE is not yet available for Functions.
除了密钥之外,您还可以查看使用 App Service身份验证/授权 需要 AAD 服务主体.这实际上就像一个键,但如果您在 AAD 中为其他实体建模,它还有其他好处.不过,除非你知道你需要这个,否则我会坚持使用钥匙.
In addition to keys, you could look at using App Service Authentication / Authorization to require an AAD service principal. This is effectively like a key, but has additional benefits if you are modeling other entities in AAD. Unless you know you need this, though, I would stick with keys.
这篇关于使 Azure Functions 无法公开访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
