Azure Function apps are assessed for whether they are reachable from the public Internet. The evaluation considers the app's publicNetworkAccess state and the presence of access restrictions or private endpoints to limit inbound traffic.
Risk
Public exposure allows unauthorized invocation, risking data disclosure and tampering (confidentiality and integrity). Attackers can brute-force tokens or abuse misconfigurations for remote execution. Unrestricted calls also enable abuse and DoS, driving cost and harming availability.
prowler azure --checks app_function_not_publicly_accessible
Recommendation
Apply network isolation and least privilege:
- Set
publicNetworkAccess=Disabled - Use access restrictions for trusted IPs/VNets or Private Endpoints
- Require strong auth (e.g., Microsoft Entra ID) over shared keys
- Front with API Management/WAF
- Keep secrets in Key Vault and monitor access logs
Remediation
az functionapp update --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --set publicNetworkAccess=Disabled
- In the Azure portal, go to your Function App
- Select Networking
- Under Public access, set Public network access to Disabled
- Click Save
Source Code
Resource Type
microsoft.web/sites