Share via

Azure policies for Azure Functions

curious7 251 Reputation points
2024-09-04T13:28:14.69+00:00

I am planning on applying a Azure policy initiative of following policies to Azure Function Apps:-

Function app slots should disable public network access
Function app slots should have Client Certificates (Incoming client certificates) enabled
Function app slots should have remote debugging turned off
Function app slots should not have CORS configured to allow every resource to access your apps

Function app slots should only be accessible over HTTPS
Function app slots should require FTPS only
Function app slots should use an Azure file share for its content directory
Function app slots should use latest 'HTTP Version'
Function app slots should use the latest TLS version
Function app slots that use Java should use a specified 'Java version'
Function app slots that use Python should use a specified 'Python version'
Function apps should disable public network access
Function apps should have authentication enabled
Function apps should have Client Certificates (Incoming client certificates) enabled
Function apps should have remote debugging turned off
Function apps should not have CORS configured to allow every resource to access your apps
Function apps should only be accessible over HTTPS
Function apps should require FTPS only
Function apps should use an Azure file share for its content directory
Function apps should use latest 'HTTP Version'
Function apps should use managed identity
Function apps should use the latest TLS version
Function apps that use Java should use a specified 'Java version'
Function apps that use Python should use a specified 'Python version'

Most of these are in Isolated V2 tier in ASE.
But some are in Dynamic/Consumption plan.

Which policies won't be suitable for functions in Isolated V2 plan? Or do I need to only implement App Service related policies for these, as they are in ASE?

And which won't be suitable for functions in Dynamic/Consumption plan?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,913 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
867 questions
0 comments
Accepted answer
  1. Ryan Hill 28,091 Reputation points Microsoft Employee
    2024-09-05T03:09:51.4966667+00:00

    Hey @curious7,

    This is more of my own opinion but there can be certain polices that can be applied based on the SKU the function app. Mainly because some policies just aren't applicable.

    For Isolated V2 SKU, you can apply policies to ensure that resources are deployed in a way to meet specific requirements of the SKU. Bear in mind, Isolated V2 is hosted within an ASE, so by default, it's already highly scalable and isolated. So, policies suitable would include would be those related to compute isolation.

    For Consumption/Dynamic SKU on the other hand, would have policies that more adherent to scaling and performance. In addition to controlling, say the maximum number of instances, you would also have policies that manage the configuration, enforcing long-running operations, and dedicated resources of your function app.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer