Azure Python Time Trigger Functions: Manage File Transfer - Part Two
Secure traffic by Private endpoint
Multi-Cloud & DevOps Engineer experience in enterprise and FinTech environments, specializing in cloud platforms, DevOps, IaC, and Python with a focus on FinOps, Security, and operational excellence.
Inception
Hello everyone, this article is part of The Azure Series, and here we will continue to update the previous Azure Python Time Trigger Functions: Manage File Transfer - A Comprehensive Guide article. I use this series to publish-out Azure Projects & Knowledge.
Overview
In the previous Blog post, we walked through a comprehensive guide implementation of managed file transfer between Blob Containers by using the scheduled Time Trigger function.
Today’s Short Blog post will continue to update the previous implementation by securing network traffic between The Function app and The Storage account by using a VNet private endpoint, ensuring the Azure Storage account accept only traffic coming from a specific VNet, and configure The Funcion App outbound traffic to land on The Configured VNet Subnet.
The Architecture Diagram below explains more
What is a private endpoint?
A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network.
The service could be an Azure service such as:
Azure Storage
Azure Cosmos DB
Azure SQL Database
Your own service, using Private Link service.[1]
[1] What is a private endpoint? - Azure Private Link | Microsoft Learn
In other words, A Private endpoint opens a private tunnel to access a service -e.g. Storage account- by using VNet private IPs; once that tunnel is created, you must have privileged access to the service to access*.*
Hence, a private endpoint is about creating only a tunnel. Then, to successfully knock on the service door to open by walking through that tunnel, you must have sufficient access -i.e. managed identity, for example-
And Azure supports private endpoints for multiple services, as mentioned above.
Solution Implementation update
Create a VNet
First and foremost, let’s create a very basic VNet with a default subnet:
Open-up Azure Portal.
Navigate to Virtual Networks, Then Create.
Specify the same resource group includes a Function app and a storage account.
For VNet name set “eraki_eastus_vnet_1001“
Next, Review + Create.
Update Storage account Networking
Open-up Azure Portal.
Navigate to The Storage account, then Networking under the Security & Networking tab**.**
Next, Check “Enabled from selected virtual networks and IP addresses”
Next, Under Virtual networks select “Add existing virtual network”, then select the created VNet.
Next, under Firewall Check “add your public IP” in order to provide you access to the storage account.
Save.
That will create a default private endpoint; check it by navigating to “Private endpoint connections“ on the tab above.
Update Function App Networking
Let’s link the Function app traffic with the created private endpoint.
Open-up Azure Portal.
Navigate to The Function App, then Networking under the Settings tab**.**
Next, Specify The Created VNet and default subnet for “Virtual network integration“ under “Outbound traffic configuration”
Now, check the function by executing it, and that should be successfully integrated.
Resources
That's it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you
