KeyVault firewall configuration and Azure Functions consumption plan
I have a KeyVault with some secrets in it. I have configured the firewall with a few limited client IPs and also made sure the "Allow trusted Microsoft services to bypass this firewall" is set to "Yes".
However, when I try connect and retrieve a secret from an Azure function (using Managed Service Identity) I get a 403, Forbidden. If I set the firewall off (i.e. to "Allow access from all networks") then it works fine.
In the (i)nformation box it says that Azure App Services (Web Apps) are supported. I thought this would cover function apps too but obviously not.
I know that I can use a S1 plan and a VNET (and join KeyVault to the same VNET), but then we lose the flexibility of the consumption plan.
I have considered adding the entire Azure IP range for the data centre in question but I don't want the admin overhead.
Any other thoughts on how to secure a KeyVault using a firewall but still be able to access it from a function running on a consumption plan?
azure azure-functions azure-keyvault azure-app-service-plans
add a comment |
I have a KeyVault with some secrets in it. I have configured the firewall with a few limited client IPs and also made sure the "Allow trusted Microsoft services to bypass this firewall" is set to "Yes".
However, when I try connect and retrieve a secret from an Azure function (using Managed Service Identity) I get a 403, Forbidden. If I set the firewall off (i.e. to "Allow access from all networks") then it works fine.
In the (i)nformation box it says that Azure App Services (Web Apps) are supported. I thought this would cover function apps too but obviously not.
I know that I can use a S1 plan and a VNET (and join KeyVault to the same VNET), but then we lose the flexibility of the consumption plan.
I have considered adding the entire Azure IP range for the data centre in question but I don't want the admin overhead.
Any other thoughts on how to secure a KeyVault using a firewall but still be able to access it from a function running on a consumption plan?
azure azure-functions azure-keyvault azure-app-service-plans
add a comment |
I have a KeyVault with some secrets in it. I have configured the firewall with a few limited client IPs and also made sure the "Allow trusted Microsoft services to bypass this firewall" is set to "Yes".
However, when I try connect and retrieve a secret from an Azure function (using Managed Service Identity) I get a 403, Forbidden. If I set the firewall off (i.e. to "Allow access from all networks") then it works fine.
In the (i)nformation box it says that Azure App Services (Web Apps) are supported. I thought this would cover function apps too but obviously not.
I know that I can use a S1 plan and a VNET (and join KeyVault to the same VNET), but then we lose the flexibility of the consumption plan.
I have considered adding the entire Azure IP range for the data centre in question but I don't want the admin overhead.
Any other thoughts on how to secure a KeyVault using a firewall but still be able to access it from a function running on a consumption plan?
azure azure-functions azure-keyvault azure-app-service-plans
I have a KeyVault with some secrets in it. I have configured the firewall with a few limited client IPs and also made sure the "Allow trusted Microsoft services to bypass this firewall" is set to "Yes".
However, when I try connect and retrieve a secret from an Azure function (using Managed Service Identity) I get a 403, Forbidden. If I set the firewall off (i.e. to "Allow access from all networks") then it works fine.
In the (i)nformation box it says that Azure App Services (Web Apps) are supported. I thought this would cover function apps too but obviously not.
I know that I can use a S1 plan and a VNET (and join KeyVault to the same VNET), but then we lose the flexibility of the consumption plan.
I have considered adding the entire Azure IP range for the data centre in question but I don't want the admin overhead.
Any other thoughts on how to secure a KeyVault using a firewall but still be able to access it from a function running on a consumption plan?
azure azure-functions azure-keyvault azure-app-service-plans
azure azure-functions azure-keyvault azure-app-service-plans
asked Nov 14 '18 at 9:18
Murray FoxcroftMurray Foxcroft
5,85013554
5,85013554
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Go to your function properties (function > platform features > properties ) and look up ip addresses there (they do not change) and add those to the KV firewall.
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53296667%2fkeyvault-firewall-configuration-and-azure-functions-consumption-plan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Go to your function properties (function > platform features > properties ) and look up ip addresses there (they do not change) and add those to the KV firewall.
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
add a comment |
Go to your function properties (function > platform features > properties ) and look up ip addresses there (they do not change) and add those to the KV firewall.
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
add a comment |
Go to your function properties (function > platform features > properties ) and look up ip addresses there (they do not change) and add those to the KV firewall.
Go to your function properties (function > platform features > properties ) and look up ip addresses there (they do not change) and add those to the KV firewall.
answered Nov 14 '18 at 9:59
4c74356b414c74356b41
27.3k42053
27.3k42053
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
add a comment |
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
Unfortunately those IP addresses may change (infrequently) which makes them unreliable for production deployment. See twitter.com/jussipalo/status/985781858020610049
– Murray Foxcroft
Nov 14 '18 at 10:27
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
i've been using those throughout the last several years in different places. never seen them change.
– 4c74356b41
Nov 14 '18 at 10:59
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
They may change, but Azure will notify you about it in advance.
– Pawel Maga
Nov 14 '18 at 20:48
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
Thanks @PawelMaga - can you point me to any documentation that confirms this?
– Murray Foxcroft
Nov 15 '18 at 9:27
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
@MurrayFoxcroft Unfortunately I don't have any link to the documentation confirming it. I can just copy/paste a few words from email message that I got from Azure many times: "To improve traffic flow, we are changing some of the inbound and outbound IP addresses in regions where your sites are hosted. We’re making these changes over the next few months and require you to take corresponding actions. If you don’t take the recommended action described below by September 30, 2018, your site may stop working."
– Pawel Maga
Nov 15 '18 at 10:20
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53296667%2fkeyvault-firewall-configuration-and-azure-functions-consumption-plan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown