question

erotavlas-3755 avatar image
0 Votes"
erotavlas-3755 asked erotavlas-3755 commented

Make web api endpoint callable only by an Azure function app

Hello,
I'm building the backend of a mobile app on Azure, I was thinking to use Function apps in conjunction with ASP.NET Core 3.1 Web Api. I need to do the following

  • Run a Function app to get some data periodically from online source,.

  • From the function app then send the data using POST request to an api endpoint and the method will write the data to an SQLite database

  • I only want that particular api endpoint visible / accessible to the Function app because no public user, or the mobile application should be allowed to post any data to the database

  • The other api endpoint should only be accessible to the mobile app (but not someone browsing the net who happens to find out the url) But that is a separate issue.

Is it possible to accomplish the part where I want the POST method visible to the Function app?



azure-functionsdotnet-aspnet-core-webapi
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @erotavlas-3755,

In the Asp.net Core API application, you can configure the authorization and use the Authorize attribute for the API endpoint. It is similar like the Role based authorization or Claims/Policy Based authorization. When the request is from the Function, you can add a "Role" to the current user's claims, then, in the API application, you can create policy based on the Role and apply the policy to the endpoint. So that only requests that meet the requirements can access the API endpoint.

Here are some related articles, you can refer them:

Claims-based authorization

Policy-based authorization

Policy-Based And Role-Based Authorization Using Custom Handler

Besides, you can also configure the API with JWT Authentication and use it with Role Policy:

Basic Authentication Tutorial with Example API

JWT Authentication With Role Policy

Policy-Based Authorization with Angular and ASP.NET Core using JWT

Best regards,
Dillion

1 Vote 1 ·

1 Answer

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered erotavlas-3755 commented

This is what azure virtual networks (vnets ) are for.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you elaborate? I'm not too familiar with VNet in Azure.

0 Votes 0 ·

see docs:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

you create the vnet. then you configure the function to only be callable on this net. you also configure your core app access to the vnet.

0 Votes 0 ·

While reading more about this I've seen some examples that show how to do this using Private Endpoints in Azure App service which requires one of the premium plans.

I also found this ipSecurity element of the configuration
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/

Is either of these approaches what you were thinking?

I probably can't use the first one because I'm only using the basic or free App service plan so should the ipSecurity feature do the job?

0 Votes 0 ·