Learn how to configure network access for Azure Function Apps to deny inbound access from specific subnets and restrict outbound internet access using access restrictions, private endpoints, and virtual network integration.
Table of Contents
Question
You have an Azure subscription that contains the virtual networks shown in the following table.
| Name | Description |
|---|---|
| VNet1 | Contains two subnets named Subnet1 and Subnet2 |
| VNet2 | Contains one subnet named Subnet3 that has an associated network security group (NSG) named NSG1 |
NSG1 rules restrict access to the internet from Subnet3.
The subscription contains the function apps shown in the following table.
| Name | Description |
|---|---|
| App1 | Uses an App Service plan in the Premium pricing tier |
| App2 | Uses an App Service plan in the Premium pricing tier and has virtual network integration with VNet2 |
Virtual network integration has the default settings.
You need to configure network access for App1 and App2 to meet the following requirements:
- Deny inbound access to App1 from Subnet1 and allow inbound access from Subnet2.
- Deny outbound access from App2 to the internet.
What should you do for each requirement? To answer, select the appropriate options in the answer area.
Deny inbound access to App1 from Subnet1 and allow inbound access from Subnet2:
Configure a private endpoint for App1
Configure access restictions for App1
Configure virtual network integration with VNet1 for App1
Deny outbound access from App2 to the internet:
Configure access restrictions for App2
Deploy App2 to an App Service Environment
Enable Route All for the App2 virtual network integration with VNet2
Answer
Deny inbound access to App1 from Subnet1 and allow inbound access from Subnet2: Configure access restictions for App1
Deny outbound access from App2 to the internet: Enable Route All for the App2 virtual network integration with VNet2
Explanation
To meet the requirements for App1 and App2, you should do the following:
Deny inbound access to App1 from Subnet1 and allow inbound access from Subnet2:
Configure access restrictions for App1
To restrict inbound access to App1 based on subnet, you should configure access restrictions in the networking settings of the function app. Access restrictions allow you to define allow/deny rules based on IP address ranges or virtual network subnets.
In this case, you would add a deny rule for the IP address range of Subnet1 and an allow rule for the IP address range of Subnet2. This will ensure that inbound traffic to App1 is denied from Subnet1 but allowed from Subnet2.
Deny outbound access from App2 to the internet:
Enable Route All for the App2 virtual network integration with VNet2
To deny outbound internet access for App2, you should enable the “Route All” option for its virtual network integration with VNet2.
Route All forces all outbound traffic from the function app to be sent through the integrated virtual network. Since NSG1 associated with Subnet3 in VNet2 already restricts access to the internet, enabling Route All will extend those restrictions to App2 and prevent it from accessing the internet directly.
By configuring access restrictions for App1 and enabling Route All for App2’s virtual network integration, you can precisely control the inbound and outbound network access for the function apps based on subnets and NSG rules, meeting the specified security requirements.
Microsoft AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-500 exam and earn Microsoft AZ-500 certification.