- VNET Integration<\/strong>: This is useful when the Function needs to connect to another resource in our through the VNET (like we’re doing with Key Vault). This is for connections FROM your function.<\/li>
- Private Endpoints <\/strong>(preview right now): This is useful to protect your function and only make it available for resources in the network. This is for connections TO your function.<\/li><\/ul><\/li>
- Azure Key Vault Private Link<\/a><\/li>
- Azure Functions, use Private DNS Zones<\/a><\/li><\/ul>\n\n\n\n
So, in terms of workflow this is what I’m planning to implement in this post:<\/p>\n\n\n\n
- Create Azure Function and Key Vault<\/li>
- Give managed identity to Azure Function.<\/li>
- Have function query public Key Vault to verify things work.<\/li>
- Integrate Key Vault using PrivateLink and function using VNET integration.<\/li>
- Configure Azure Function to use Private DNS Zone.<\/li>
- Have function query private Key Vault to verify things work<\/li><\/ul>\n\n\n\n
So, let’s get started!<\/p>\n\n\n\n
Create Key Vault and Azure Function.<\/h2>\n\n\n\n
In this section, we will create the function and the key vault. Let’s start with the function. Look for functions in the Azure search bar, and hit the create button. The first blade asks for some details. In this case, I’ll be running a Python based function.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-29-1024x903.png\")
Function creation blade. We’ll create python 3.8 in a new resource group.<\/figcaption><\/figure>\n\n\n\n Next, we’ll need to create the hosting plan. The plan needs to be Premium to work with VNET integration. I’ll stick with the EP1 size, to run this in the cheapest way possible:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-30-981x1024.png\")
Make sure you’re deploying this on a premium plan.<\/figcaption><\/figure>\n\n\n\n I will enable application insights, to have access to logs in case I need them:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-31-1024x486.png\")
Enabling application insights. Just in case.<\/figcaption><\/figure>\n\n\n\n And finally, review and create (I’m not tagging for now)<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-32-577x1024.png\")
Review and create.<\/figcaption><\/figure>\n\n\n\n While this is running, let’s create our new Key Vault. We’ll create this in the same region and the same resource group. <\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-33-680x1024.png\")
Create the Key Vault in the same RG and the same region. This is not mandatory, but will allow me to delete this easily later on. <\/figcaption><\/figure>\n\n\n\n Next up is access policies. We won’t touch this now, we’ll touch this later on once our Function has a managed identity.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-34-1024x453.png\")
We’ll assign my own user access (the default), we’ll add the function later on.<\/figcaption><\/figure>\n\n\n\n For now, we’ll also not touch networking and default to the public networking. I first want to make sure public networking works (to ensure the code works), and then we’ll switch to Private Link.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-35-1024x483.png\")
We’ll keep public networking for now.<\/em><\/figcaption><\/figure>\n\n\n\n Then we’ll review and create, and create the Key Vault.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-36-614x1024.png\")
Review and create.<\/figcaption><\/figure>\n\n\n\n Let’s now wait for all of this to create (should take about a minute to finish), and then we can move to the next step.<\/p>\n\n\n\n
Give managed identity to Azure Function.<\/h2>\n\n\n\n
In this section we’ll do two things:<\/p>\n\n\n\n
- Give our Function a managed identity.<\/li>
- Give that managed identity permissions on Key Vault.<\/li>
- Create a secret in Key Vault.<\/li><\/ul>\n\n\n\n
Let start with the first thing, giving the managed identity to Key Vault. To do this, open the function in the Azure portal, and in the left hand navigation look for identity. I’ll stick with System Assigned identity for now, but this also works for user assigned identities:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-37-1024x343.png\")
Creating the system assigned managed identity.<\/figcaption><\/figure>\n\n\n\n Once the identity is created, the blade will change to this:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-38-1024x553.png\")
Grab the object ID once the managed identity is setup.<\/figcaption><\/figure>\n\n\n\n To make things easier, copy the object ID. We’ll need this in the next step, giving access to key vault.<\/p>\n\n\n\n
To give access to key vault, open the key vault and open the access policies. Click the “+Add Access Policy” button here.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-39-1024x522.png\")
Add an access policy to key vault<\/figcaption><\/figure>\n\n\n\n Here, I’ll give get and list secrets permissions to my managed identity. <\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-40-1024x515.png\")
Give the managed identity permissions to secrets.<\/figcaption><\/figure>\n\n\n\n Once this is done, don’t forget to hit the save button on the access policies.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-41-1024x773.png\")
Don’t forget to save the access policy.<\/figcaption><\/figure>\n\n\n\n With that out the way, let’s create a secret. Click on secrets on the left, and create a new secret.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-42.png\")
Creating a new secret.<\/figcaption><\/figure>\n\n\n\n And with the secret created, we can switch over to the function and try to get the secret through code.<\/p>\n\n\n\n
Have function query public Key Vault to verify things work.<\/h2>\n\n\n\n
I’ll be doing the functions development locally in Visual Studio Code, and push the Function once it’s ready. To do this I run VSCode in WSL2, and installed the Functions extension. <\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-43-1024x261.png\")
The Azure Functions extension for VS Code. This is a fantastic tool! I loved working with it.<\/figcaption><\/figure>\n\n\n\n First up, we’ll create a new function locally. To do this, open the command palette (CTRL-shift-P) and look for Azure Functions: create Function…<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-44.png\")
Create a new function locally<\/figcaption><\/figure>\n\n\n\n You’ll then get a popup to create a new project, select yes.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-46.png\")
Create a new project.<\/figcaption><\/figure>\n\n\n\n Language will be Python:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-48.png\")
We’ll be working with Python.<\/figcaption><\/figure>\n\n\n\n As a trigger we’ll pick HTTP trigger. <\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-49.png\")
We’ll work with a HTTP trigger.<\/figcaption><\/figure>\n\n\n\n We’ll call this HttpTrigger1:<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-50.png\")
Give the function a name. I wasn’t very creative.<\/figcaption><\/figure>\n\n\n\n And we’ll use Functions authorization<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-51.png\")
Authorization level as Function for some additional security.<\/figcaption><\/figure>\n\n\n\n This will create the Azure function locally. <\/em>You’ll see a number of files and a very simple function.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-52-1024x524.png\")
Sample function being created<\/figcaption><\/figure>\n\n\n\n Let’s deploy this “raw” function to Azure, to see if everything is working as expected. To deploy to Azure, open the command palette again (CTRL+shift+P) and look for Azure Functions: Deploy to Function app…<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-53.png\")
Deploy the function to Azure.<\/figcaption><\/figure>\n\n\n\n
- Private Endpoints <\/strong>(preview right now): This is useful to protect your function and only make it available for resources in the network. This is for connections TO your function.<\/li><\/ul><\/li>
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-54.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-55.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-56.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-57.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-58-1024x79.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-59.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-60.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-61.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-62-1024x659.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-63-1024x760.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-64-790x1024.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-74-1024x661.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-65-1024x673.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-66-1024x596.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-67-1024x586.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-68-1024x789.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-69-876x1024.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-70-1024x439.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-72-1024x520.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-73-936x1024.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-75.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-76.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-77.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-78.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-79-1024x565.png\")
![\"\"](\"\/wp-content\/uploads\/2020\/09\/image-80.png\")
<\/figure>\n\n\n\n