Add support for --public-network-access for az functionapp config namespace

[HenryLGatesFoundation]

trafficstars

There seems to be no way of setting the publicNetworkAccess attribute value (Enabled or Disabled) of the functionapp namespace, neither during creation, nor update (with az functionapp config create|update).

This means that, although we can automate the creation of Function App Inbound Private Endpoints and Function App VNet Integrations, we must go to each Function App and manually disable Public Access to our Function Apps.

Describe the solution you'd like I'd simply like/expect to be able to run any of the following commands:

• az functionapp config --name myFA --resource-group myRG --public-network-access enabled

• az functionapp config --name myFA --resource-group myRG --public-network-access disabled

• OR -

• az functionapp config --ids myFAID --resource-group myRG --public-network-access enabled

• az functionapp config --ids myFAID --resource-group myRG --public-network-access disabled

Describe alternatives you've considered It doesn't exist under "az webapp config set" either.

Additional context Without this, everyone who wishes to create or manage secure Function Applications must go directly to each resource and toggle this attribute, manually, while the rest of the same page can be updated via the Azure CLI:

[yonzhan]

route to CXP team

[navba-MSFT]

@HenryLGatesFoundation Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

[navba-MSFT]

@HenryLGatesFoundation Could you please try the below command ?

az resource update -g myRG -n myFA --resource-type Microsoft.Web/sites --set properties.publicNetworkAccess=Enabled

Awaiting your reply.

[HenryLGatesFoundation]

Yes, the use of the generic "resource" does work.

[navba-MSFT]

@HenryLGatesFoundation Thanks for getting back. Does the above command suffice your requirement or do you still need the CLI command?

[HenryLGatesFoundation]

I believe everyone who might run across this post would/should be able to use it. But if you, or the team, could be so kind as to place it in a more intuitive "or correct" namespace for customers, that would be very much appreciated. Is that possible?

[navba-MSFT]

@HenryLGatesFoundation Thanks for your reply. For the users who want to achieve this requirement without running the az resource command, they can follow the below steps:

The publicNetworkAccess is exposed as a property in this REST API. So you can run the command like below:

First you need to fetch the existing configurations by running the config show command:

az functionapp config show --name myFA --resource-group myRG --output json > config.json

Then edit the config.json file and update the "publicNetworkAccess" to "Enabled". Then save the file and run the below config set command:

az functionapp config set --name myFA --resource-group myRG --generic-configurations "@.\tempfunc.json"

Hope this clarifies.

[ghost]

Hi @HenryLGatesFoundation. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

[HenryLGatesFoundation]

/unresolve

I understand that you're suggesting we perform a "show", obtain the definition of the function app, make a small modification and essentially perform a PUT when all we really need is to use/set a single flag.

Note: This request is the same as a previously-fulfilled request for a --public-network-access flag found here: https://github.com/Azure/azure-cli/issues/23025.

Can an implementation which is consistent with the aforementioned be implemented in this subsequent case and simply supply the community with the "--public-network-access" flag needed, so that a standard implementation scheme exists (or begins to take shape) across Azure CLI command/namespaces?

In addition to the eventhubs namespace, even the acr namespace has the following (although "--public-network-access" seems more expressive, even more correct):

az acr update --name myContainerRegistry --public-network-enabled false

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Stefanus Hinardi, @Francisco-Gamino.

Issue Details

---

There seems to be no way of setting the publicNetworkAccess attribute value (Enabled or Disabled) of the functionapp namespace, neither during creation, nor update (with az functionapp config create|update).

This means that, although we can automate the creation of Function App Inbound Private Endpoints and Function App VNet Integrations, we must go to each Function App and manually disable Public Access to our Function Apps.

Describe the solution you'd like I'd simply like/expect to be able to run any of the following commands:

• az functionapp config --name myFA --resource-group myRG --public-network-access enabled

• az functionapp config --name myFA --resource-group myRG --public-network-access disabled

• OR -

• az functionapp config --ids myFAID --resource-group myRG --public-network-access enabled

• az functionapp config --ids myFAID --resource-group myRG --public-network-access disabled

Describe alternatives you've considered It doesn't exist under "az webapp config set" either.

Additional context Without this, everyone who wishes to create or manage secure Function Applications must go directly to each resource and toggle this attribute, manually, while the rest of the same page can be updated via the Azure CLI:

Author:	HenryLGatesFoundation
Assignees:	navba-MSFT
Labels:	Web Apps, Service Attention, Functions, customer-reported, needs-team-attention, feature-request, Auto-Assign
Milestone:	-

[navba-MSFT]

@HenryLGatesFoundation Thanks for clarifying your requirement. I am adding the service team to look into your ask.

@Stefanus Hinardi, @Francisco-Gamino Could you please look into this request once you get a chance ?

[Francisco-Gamino]

Adding Functions Az CLI team @amamounelsayed @apawast @kaibocai -- Could you please help with the inquiry above? Thank you.

[danielfears]

Also interested in this being added - noticed users of the platform are able to create an App Service (web app) but despite setting an Access Restriction in Networking settings, the resource JSON still reports that the flag for publicNetworkAccess is still set to 'null' and therefore fails the validation for the built-in security Azure Policy of 'App Service apps should disable public network access', due to this not evaluating to true:

          {
            "field": "Microsoft.Web/sites/publicNetworkAccess",
            "notEquals": "Disabled"
          }

There's little support for doing this via PowerShell too from what I've seen, and no support for changing this flag in the portal, and is causing many people issues with editing their in-situ web apps.

[curious-toast]

I would also like these flags to be added. Are there any updates on this?

[medbenchohra]

It must be updated in two locations simultaneously using az functionapp update:

az functionapp update --resource-group $rg -n $functionAppName --set publicNetworkAccess=Disabled siteConfig.publicNetworkAccess=Disabled --query "{name:name, publicNetworkAccess:publicNetworkAccess, siteConfig_publicNetworkAccess:siteConfig.publicNetworkAccess}"

[r300mrg]

Any update? Would be very useful to have this option when creating a function app. Thanks

[vladiliescu]

az functionapp update/az resource update don't help when Deny Public Network Access policies prevent creating the function, it's a really bad workaround imo.