Secure Connection from Azure Function to Azure CosmosDB
Use CosmosDB private endpoint to have secure connection from Azure Function
Table of contents
About
This article is about having a secure network connection to Azure CosmosDB from an Azure Function. Though this article uses Azure CosmosDB, the same concept applies to the other Azure PaaS Services that support Private Link.
Prerequisites
Microsoft Azure Account, Basic understanding of Subscription and Resource Group
Azure Resources Used
vNet - Azure Virtual Network to isolate PaaS Resources
AzureCosmosDB - Microsoft offers the first 1000RU free which is good enough for this setup
Azure Functions - Azure Function App is hosted in Azure App Service B1
Setup
Azure Virtual Network and Subnets
Create a virtual network and two subnets - one for each Azure CosmosDB & Azure Function
Create a new vNet in the same Resource Group as we have the PaaS resources. Azure vNet by default adds a "default" subnet on creation
Add two subnets under the vNet. Subnets can be either be added when the virtual network is created or later using the "subnets" tab under "settings" section.
Subnet - 1
Added subnet-cosmos by choosing an address range. Optionally subnet provides service endpoint targets. This restricts the subnet communication to specific resource types. Here it is restricted to Cosmos DB
-
Subnet-2
Added subnet-function with a different address space. These are the current subnets that are created in the Virtual network.
Azure CosmosDB
Create a sample Azure CosmosDB with a sample document to test. Add a private end-point connection
Assuming there is an active Azure Subscription and a Resource Group has been created
Azure CosmosDB with SQL is used for this exercise and one of the steps in the DB creation is Networking as seen below,
- Note, the Portal and Local IP access is also denied
Add a private endpoint by using the +Add button above, and provide
A name for the private endpoint
Choose the Virtual Network and subnet created in the previous step
-
This configuration blocks Public & Azure portal access and the connectivity can now happen only using the private endpoint configured. You can (add) and view the private endpoints created in the Networking Tab -> Private Access in the cosmos db
Added a Database called "ProductCatalog" and a collection "Product" with a sample document. This document will be accessed by Azure Function.
Azure Function
Create an Azure Function that has a private inbound connection over a Virtual Network to an Azure CosmosDB
Created a sample Azure function, and used Azure Function VS Code plugin to deploy this as a function app into Azure. Ensure to add a local settings file with the appropriate CosmosDB connection string.
This plugin by default deploys to a free tier App Service Plan. We may have to create an Azure App Service with a minimum B1 tier (which supports networking options) and use the same when prompted while using the plugin.
Once the function app is deployed into Azure, use the networking tab in the portal to set inbound and outbound connections,
-
Inbound traffic is open to the internet. Click on Vnet Integration under Outbound traffic to choose a subnet "subnet-function" created under vNet.
Click on VNet Integration and continue the workflow to choose a subnet that was created earlier and save and refresh the connection to check the status.
-
Voila !! This creates a private n/w connection between the Azure function and Azure CosmosDB to fetch the sample data