Virtual Network Integration for Azure Functions Not Enabled
ID: azure-functionapp-vnet-integration-missing
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,functionapp,azure-cloud-config
Description
Section titled “Description”To follow Azure networking best practices and securely access cloud resources available within your Azure Virtual Network (VNet), ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps. With Virtual Network integration, you can restrict your Function App outbound connections to specific, trusted VNets only.
YAML Source
Section titled “YAML Source”id: azure-functionapp-vnet-integration-missinginfo: name: Virtual Network Integration for Azure Functions Not Enabled author: princechaddha severity: high description: | To follow Azure networking best practices and securely access cloud resources available within your Azure Virtual Network (VNet), ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps. With Virtual Network integration, you can restrict your Function App outbound connections to specific, trusted VNets only. impact: | Lack of Virtual Network integration may lead to insecure access to cloud resources, posing a security risk by allowing outbound connections to non-trusted networks. remediation: | Enable Virtual Network integration for your Azure Function Apps to secure connections to trusted Virtual Networks. reference: - https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options tags: cloud,devops,azure,microsoft,functionapp,azure-cloud-config
flow: | code(1); for (let AppData of iterate(template.functionApps)) { AppData = JSON.parse(AppData); set("name", AppData.name); set("resourceGroup", AppData.resourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az functionapp list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
extractors: - type: json name: functionApps internal: true json: - '.[]'
- engine: - sh - bash source: | az functionapp show --name $name --resource-group $resourceGroup --query 'siteConfig.vnetName' --output json
matchers: - type: word words: - ""
extractors: - type: dsl dsl: - 'name + " does not have Virtual Network Integration enabled"'# digest: 490a004630440220778c6fde3a9c8a69d90c50b005bdd2fedea830911a8b6720ec5f08d579338dea022056111fb3c94b630566bc013b68a12237b4295a35451d07dd20a8e557ad4736f3:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/functions/azure-functionapp-vnet-integration-missing.yaml"