How to hide Azure Function URL?

Question

So I just created an Azure Function that is triggered by Azure Blob Storage upload. There is no HTTP trigger.

• Why does this app have a PUBLIC-FACING URL?
• How do I disable it?
• Is there any kind of security mitigation needed?

https://fa06192020test8.azurewebsites.net (deleting soon, so hit it now!)

I don't want anything visible to the outside world.

Answer 1

• It's the standard welcome page for Azure Functions
• You can disable it by setting AzureWebJobsDisableHomepage app setting value to true. However, you will still see a response when you hit the URL on the browser.
• From a web perspective: not really. However, you always need to store your connection string in a secure place. For example, you shouldn't store your blob storage connection string in json file in your code. Obviously it's so hard to penetrate your FTP and get your JSON file, but still not secure. You can use Azure portal to set environment variables for the connection string. But still not the securest. You can have a look to the Azure KeyVault https://learn.microsoft.com/en-us/azure/key-vault/ and Managed Service Identity https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview if you really really want to build secure Azure Functions on your high-level ops (Let's say you're parsing some government, PCI, PHI, PII data)

Since it's only Azure Blob Trigger Azure Functions, if you don't expose your azure functions URL to the Internet, nobody would predict your Azure Functions URL. Even if they predict, the above mentioned things would be still applied. So don't worry! :)

P.S. You can't (and also shouldn't) hide/remove the .azurewebsites.net URL. It's using everywhere. From deploying your code to the health checks. It's everywhere. Also, you should create HealthChecks via Application Insights as well to check whether your function is health or not.