This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 14.000000000000002%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello,
I'm building the backend of a mobile app on Azure, I was thinking to use Function apps in conjunction with ASP.NET Core 3.1 Web Api. I need to do the following
Is it possible to accomplish the part where I want the POST method visible to the Function app?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Hi @erotavlas ,
In the Asp.net Core API application, you can configure the authorization and use the Authorize attribute for the API endpoint. It is similar like the Role based authorization or Claims/Policy Based authorization. When the request is from the Function, you can add a "Role" to the current user's claims, then, in the API application, you can create policy based on the Role and apply the policy to the endpoint. So that only requests that meet the requirements can access the API endpoint.
Here are some related articles, you can refer them:
Policy-Based And Role-Based Authorization Using Custom Handler
Besides, you can also configure the API with JWT Authentication and use it with Role Policy:
Basic Authentication Tutorial with Example API
JWT Authentication With Role Policy
Policy-Based Authorization with Angular and ASP.NET Core using JWT
Best regards,
Dillion
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
This is what azure virtual networks (vnets ) are for.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
Can you elaborate? I'm not too familiar with VNet in Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 18%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
see docs:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
you create the vnet. then you configure the function to only be callable on this net. you also configure your core app access to the vnet.
While reading more about this I've seen some examples that show how to do this using Private Endpoints in Azure App service which requires one of the premium plans.
I also found this ipSecurity element of the configuration
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/
Is either of these approaches what you were thinking?
I probably can't use the first one because I'm only using the basic or free App service plan so should the ipSecurity feature do the job?
@erotavlas , you server (web-api) needs to demand some sort of secret/claim from the client code (Az function).
If you need a quick solution, just hide some secret on both sides of those 2 services (shared key) and make the call using that secret as part of the request. (eg. https://dzone.com/articles/api-key-user-aspnet-web-api).
If you want to do it more advanced, then a Managed Identity for the Az Function and an authorization to call that API/scope should be the way to go. Create a different scope for the mobile app, and another for the backend calls (Az Function). This is the way to go if you are already using or planning to use AzureAD for AuthN+AuthZ in your app/api.
eg.:
managed identities https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?context=%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fcontext%2Fmsi-context&tabs=dotnet
webapi scopes https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore