Great tips. Thank you for sharing. However, there have been a few questions that I have been trying to get answers to.
Azure functions(Azure app service really) has a way to restrict incoming IP addresses. I suspect those mechanisms just inspect packet header and potentially vulnerable to IP spoofing. Any pointers on how to safeguard against this attack vector?
Since its PAAS there must be some level DDOS protection built into Azure fabric especially since this is multi tenant. So I am assuming DDOS though possible, Azure fabric must have some protection already inbuilt? Monitoring through app insights can help but its reactive. On the shared security responsibility, I feel customers own the responsibility of monitoring but would be great to know what is done on the other side of the shared responsibility to prevent this. These 2 are questions I get a lot when I recommend using Azure functions on various engagements.
Thanks, Hari! We do have IP restrictions available, documented here.
For more advanced networking capabilities, you won't find those on the Consumption plan, but they are available on the Functions Premium plan and with App Service plan hosting.
As for DDoS, there are some good answers in the Azure Security Whitepaper. In short, there are some things at the Azure level for sure (Basic protection), but that's for a more general level of protection and doesn't make any guarantees about your workload specifically. Your app could still certainly be the target of a DDoS and be taken down unless you take mitigating actions. The best practices outlined in that whitepaper are a great place to start. I would also take a look at the Standard protection offerings as well, but I don't know as much about those, personally.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great tips. Thank you for sharing. However, there have been a few questions that I have been trying to get answers to.
Azure functions(Azure app service really) has a way to restrict incoming IP addresses. I suspect those mechanisms just inspect packet header and potentially vulnerable to IP spoofing. Any pointers on how to safeguard against this attack vector?
Since its PAAS there must be some level DDOS protection built into Azure fabric especially since this is multi tenant. So I am assuming DDOS though possible, Azure fabric must have some protection already inbuilt? Monitoring through app insights can help but its reactive. On the shared security responsibility, I feel customers own the responsibility of monitoring but would be great to know what is done on the other side of the shared responsibility to prevent this. These 2 are questions I get a lot when I recommend using Azure functions on various engagements.
Thanks, Hari! We do have IP restrictions available, documented here.
For more advanced networking capabilities, you won't find those on the Consumption plan, but they are available on the Functions Premium plan and with App Service plan hosting.
As for DDoS, there are some good answers in the Azure Security Whitepaper. In short, there are some things at the Azure level for sure (Basic protection), but that's for a more general level of protection and doesn't make any guarantees about your workload specifically. Your app could still certainly be the target of a DDoS and be taken down unless you take mitigating actions. The best practices outlined in that whitepaper are a great place to start. I would also take a look at the Standard protection offerings as well, but I don't know as much about those, personally.