I have serverless application in which Azure function apps are interacting with Cosmos db. I want to segregate web apps with logic and ensure database will interact only with logic part using Network Security Group and Application Security Group.
My understanding is NSG(Network Security Group) and ASG (Application security group) work only with VMs and serverless app doesn’t have any assigned VM.
How I can ensure serverless app follows above architecture?
In the Elastic Premium or above tiers of Function Apps you can integrate them with a VNET. With this you can ensure traffic to your CosmosDB comes from a vnet and protect it accordingly.
More here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options