Azure-Functions
Azure-Functions copied to clipboard
Azure
Consumption plan is almost useless without dedicated IP
In Microservices on Azure most people us CosmosDB heavily and it's firewall requires whitelisting IPs.
It is totally not acceptable from security point of view to whitelist all datacentre IPs. That makes azure function consumption plan almost a useless plan. And if we want to put each function in premium plan then:
- we are not serverless, that premium instance is a server. similar to having an app service running all time and pay for it
- expensive. and in that case I use AppService instead of azure function!!
Hi @MhAllan Thank you for your feedback, let us check this internally and we will let you know about the findings!
@Ved2806 I cannot help here, there is nothing related to my involvement with Functions that applies.
Any user trying to connect from an Azure Function to Cosmos DB using any of the SDKs and APIs will run through networking limitations.
The only thing I can see on the Cosmos DB documentation is that you don't need to whitelist all the individual IPs, you can whitelist the Azure datacenters: https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-global-azure-datacenters-or-other-sources-within-azure
@ealsur Thanks for reply, whitelisting all DC is risky, virtual networks require premium, that doesn't much option for consumption plan, so I ended up putting all functions on premium plans.
@MhAllan Does putting all the functions in premium plan solved it? Please let us know if you need anything else. Thanks
@Ved2806 yeah that solves my problems, But we still have the consumption plan very far from being practical as cosmos db is the favourite database for microservices in Azure and usually database should be restricted access by IP filtering and private networks which consumption plan is not able to satisfy.