Private Function Apps in Azure Government using App Service Environment (ASE)


Azure Functions is a platform for deploying serverless functions in a variety of different languages. It is easy to create APIs without having to worry about the underlying architecture and compute resources. In spite of the many advantages, they are not so easy to use for Government applications because they have a public endpoint that represents a potential attack surface and may be in conflict with Trusted Internet Connection (TIC) rules. The problems mirror the issues for public Web Apps; I have discussed this in some detail in a previous blog post.

Azure App Service Environment (ASE) is now available in Azure Government. I have written about the many advantages of ASE for Government Web Apps. Since App Service is the foundation of Azure Functions, it seems obvious to use an ILB ASE for hosting private Azure Functions in Azure Government. In this blog post, I will demonstrate that this is indeed possible and also show a few tricks to get it all working.

To follow along, you will need an ILB ASE deployed. You can use either Azure Commercial or Azure Government. I have posted an ASE template on GitHub, which you can use to get started. In addition to the ASE, you will need a VM on the same virtual network (or one that is peered) as the ASE. You can use my ASE DevOps template as inspiration or simply deploy a new VM into the same virtual network. If you need a wildcard certificate for your ASE, I have some instructions for getting a wildcard certificate using Let's Encrypt. Alternatively, you can use a certificate with several Subject Alternative Name (SAN) entries. It is also an option to use a self-signed certificate, in which case it is important that you import the certificate into your "Trusted Root Certificate Authorities Store" on the VM to avoid any SSL warnings or errors.

The goal is to have a setup as illustrated below:

 

We want an Azure Function App, which can only be access from the virtual network. You can create this Function App in the portal (hit the big plus sign and search for Function App). In the Function App wizard, select an App Service Plan in your ASE or create a new App Service Plan in the ASE and select it. After you have selected an App Service Plan associated with your ASE, you will see the domain suffix of the function app change to the domain name of your ILB ASE:

Once you have created the function app, you need to make sure that you have DNS entries for the app. For example, if your ILB ASE domain name is cloudynerd.us and your app name is function, then you need DNS names for function.cloudynerd.us and function.scm.cloudynerd.us. If you are adding this to your hosts file, it would look something like:

10.0.1.11 function.cloudynerd.us
10.0.1.11 function.scm.cloudynerd.us

When you access the functions through the portal, you should now be able to add new functions and edit them in the portal. Here you see an example of inspecting the functions in an ASE Function App in Azure Government:

It is likely that you will have some problems accessing the functions from the portal. Specifically, it may say "inaccessible" in the Functions menu. If this happens you most likely have one of 4 problems:

  1. Your VM is not on the virtual network, e.g. you are trying to do this from your laptop.
  2. The DNS entries are missing either from your hosts file or your DNS server if you have a DNS server on the virtual network.
  3. The SSL certificate is not trusted. See above.
  4. The portal functions site is not listed in the CORS rules of your Function App.

If you are wondering which of the problems you are having, use the "Developer Tools" of your browser to look for error messages related to accessing the Kudu console of your Function App. The first three of the problems we have covered but the last one is a bit trickier. At the time of writing this blog post, the URL of the page requesting access to the Kudu console of your function app is https://functions-usgov-iowa.azurewebsites.us in Azure Government, but this site is not added to the CORS rules when you create a new Function App and you will get access denied. You can easily add that manually:

UPDATE 2018-4-01:Per comments by Mike Hacker, for functions in usgovtexas, you will also need to add: https://functions-usgov-texas.azurewebsites.us and https://functions.ext.azure.us. They have been added to the template mentioned below.

I have also created a template that will set up the Function App correctly for you. You can find it here. To use the template instead, you can create the ASE Function App from PowerShell with:

$asp = Get-AzureRmAppServicePlan -ResourceGroupName "RG-FOR-ASE-ASP" -Name "ASP-NAME"
 
$templateParameters = @{
     "appName" = "mihansenapp1"
     "appServicePlanId" = $asp.Id
}

New-AzureRmResourceGroupDeployment -ResourceGroupName "functionapp" `
-TemplateUri https://raw.githubusercontent.com/hansenms/iac/master/primitives/functionapp.json `
-TemplateParameterObject $templateParameters

And that's it, you now have private Azure Functions in Azure Government (or Azure Commercial) by leveraging the isolation properties of the ASE. Let me know if you have questions/comments/suggestions.

 

Comments (10)

  1. Mike Hacker says:

    I just completed these steps today using the US Gov Texas region. I had to add the following two URLS to CORS to get the portal UI to work correctly: https://functions-usgov-texas.azurewebsites.us and https://functions.ext.azure.us

    1. Thanks Mike. I have updated the post and also updated the template for the function. If anybody has any other URLs that should be added, let me know.

    2. I’m running an ILB-based ASE over in USGov Virginia, and I had the issue with Functions where it was reporting back “Inaccessible”. I stumbled across this post, added https://functions-usgov-virginia.azurewebsites.us and https://functions.ext.azure.us to the CORS profile for the Function App. Now the Inaccessible message is gone, but if I click to add a Function, a blank page is rendered. After enabling Dev Tools in the browser, I see that a 403 Forbidden is returned. on https://functionapp.ase-host.domain.com/api/functions. Any ideas as to why this is happening?

      1. What kind of certificate do you have on it?

        1. A third party certificate. There are no SSL errors and web apps published to this ASE are working just fine.

          1. My reason for asking is that if this is an internal (PKI, etc.) cert and not a publicly trusted cert from some well know CA, it could be a problem because you don’t (can’t at the moment) add the full chain to the ASE. This may not be an obvious problem because websites will generally work (the browser will have cached the intermediate certs), but for functions in the portal, it can cause problems. If you have a publicly issues cert, e.g. from DigiCert or Let’s Encrypt or something like that, then this is not the problem.

          2. Yeah, everything seems to be working fine except for portal integration with Function Apps. Any suggestions as to how this can be resolved, then?

          3. It is still not clear from your response if you have a publicly issued cert or an internal cert of some sort. If the latter is the case, then there will be an update to ASE at some point in the future (not too distant hopefully) that will allow you to load the full chain. If you have a publicly issued cert, then I don’t know what the issue is. Could you email me (mihansen AT microsoft.com) and we can see if we can work it offline.

          4. Michael, I responded that I had a third party certificate. I think you may have missed the response. I’ll contact you via e-mail–thanks!

        2. Michael, thanks again for taking the time to talk through the issue. As discussed, everything on our ASE was configured correctly. As it turns out, the Virginia ASE environment needed a patch in order for portal integration to work. It appears they have patched it, because Logic apps on the ASE are now integrated in to the portal. The CORS additions are still required, of course. They should probably patch again and insert those URLs so that users of the ASE don’t have to take those steps manually every time a Function app is created. Looks like they’re already pushing in Commercial URLs in to the CORS settings in the Gov environment.

Skip to main content