Skip to content

feat: Restrict API to Private Access#2209

Open
Priyanka-Microsoft wants to merge 5 commits into
Azure-Samples:devfrom
Priyanka-Microsoft:psl-us-41323
Open

feat: Restrict API to Private Access#2209
Priyanka-Microsoft wants to merge 5 commits into
Azure-Samples:devfrom
Priyanka-Microsoft:psl-us-41323

Conversation

@Priyanka-Microsoft
Copy link
Copy Markdown
Contributor

@Priyanka-Microsoft Priyanka-Microsoft commented May 6, 2026

Purpose

  • ...
    This pull request introduces support for secure, private-only networking for the backend Function App when running in container hosting mode with WAF enabled. It ensures the Function App is only accessible via private endpoints, except during deployment, when public access is temporarily enabled to allow deployment tools to function. The changes also clarify deployment behaviors for both container and code hosting models, and add supporting scripts and documentation.

Infrastructure and Networking Enhancements:

  • The Function App is now configured for private-only access (publicNetworkAccess=Disabled and private endpoint with DNS) when enablePrivateNetworking=true and AZURE_APP_SERVICE_HOSTING_MODEL=container. Public access is temporarily enabled during deployment and restored to private-only after. [1] [2] [3] [4]
  • Added privatelink.azurewebsites.net DNS zone and related indexing to support the Function App’s private endpoint. [1] [2] [3] [4]

Deployment Automation:

  • Added predeploy and postdeploy hooks in azure.yaml to run new scripts that toggle Function App public network access before and after deployment, ensuring deployments succeed while maintaining private-only access outside of deployment windows. [1] [2]
  • Introduced cross-platform scripts (scripts/function_network_toggle.ps1 for Windows, scripts/function_network_toggle.sh for POSIX) that safely enable/disable public access only when required and only for container hosting. [1] [2]

Documentation Updates:

  • Updated README.md and docs/LOCAL_DEPLOYMENT.md to explain the new WAF/private networking deployment flow, including differences between container and code hosting models, and what to expect regarding network access during deployment and at runtime. [1] [2]

These changes improve security and compliance for deployments requiring private networking, while maintaining a smooth deployment experience.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Priyanka-Microsoft