Control Your Azure Functions Securely Through Azure API Management

• In Azure API Management, you first have to create a new API.

• Create a new operation, which I called in my example “Start Invoicing”

• Create an inbound policy to point to the Azure Resource Manager endpoint that allows to start/stop your Azure Function (Web App). Leverage the Authenticate with managed identity policy, to gracefully authenticate against the Azure Resource Manager.

<inbound>
<base />
<set-backend-service base-url=”https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{functionAppName}” />
<rewrite-uri template=”/start?api-version=2016-08-01″ copy-unmatched-params=”false” />
<authentication-managed-identity resource=”https://management.azure.com/” ignore-error=”false” />
</inbound>

• The authentication will only work if you enable Managed Service Identity on your API Management instance.

• To ensure that your API Management instance has the rights to start/stop the Azure Function, you have to navigate to the Access control tab of the Function App.

• Over here, you can give the Managed Service Identity of your API Management instance the required access rights to start/stop your Azure Function.

• Try out the API operation…

• …and see that your Azure Function started successfully!

This is just a simple example of how you can use Azure API Management’s Managed Service Identity to authenticate against the Azure Management API. This approach allows really nice scenarios. All of this is done in a secure manner, if you don’t forget to secure your API Management frontend.

Cheers,
Toon