Securing Azure Functions for AI Workloads with TLS/SSL

Question

Pulumi · Accepted Answer

To secure an Azure Function for AI workloads with TLS/SSL, you will need to configure your function app to only accept secure connections. Azure Functions automatically provides a *.azurewebsites.net domain with TLS/SSL protection. However, if you want to use a custom domain with your own TLS/SSL certificate, you will need to upload and bind the certificate to your function app and configure your custom domain.

Below is a Pulumi program in Python that creates a function app on Azure with secure TLS/SSL settings. This program will:

1. Create a resource group to hold all related resources for the function app.
2. Create an app service plan, which defines the underlying VM that hosts your function app.
3. Create a storage account, which is required by the function app to manage its state and other functionalities.
4. Create the function app itself with an HTTPS-only setting enabled to enforce TLS/SSL connections.

Note that the program assumes you have already set up your Azure credentials for Pulumi and have an existing TLS/SSL certificate to use with your custom domain.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a resource group for the function app
resource_group = azure_native.resources.ResourceGroup("my-resource-group")

# Create an app service plan
app_service_plan = azure_native.web.AppServicePlan("my-app-service-plan",
    resource_group_name=resource_group.name,
    kind="FunctionApp",
    sku=azure_native.web.SkuDescriptionArgs(
        name="Y1",  # This defines a consumption plan
        tier="Dynamic",
    ),
    reserved=True  # This is required for Linux plan creation
)

# Create a storage account required by the function app
storage_account = azure_native.storage.StorageAccount("mystorageaccount",
    resource_group_name=resource_group.name,
    sku=azure_native.storage.SkuArgs(
        name=azure_native.storage.SkuName.STANDARD_LRS,
    ),
    kind=azure_native.storage.Kind.STORAGE_V2
)

# Create the function app with HTTPS-only setting
function_app = azure_native.web.WebApp("my-function-app",
    resource_group_name=resource_group.name,
    server_farm_id=app_service_plan.id,
    https_only=True,  # Enforce HTTPS (TLS/SSL)
    site_config=azure_native.web.SiteConfigArgs(
        app_settings=[
            azure_native.web.NameValuePairArgs(name="AzureWebJobsStorage", value=storage_account.primary_connection_string),
            azure_native.web.NameValuePairArgs(name="FUNCTIONS_EXTENSION_VERSION", value="~3"),  # Version of the Functions runtime
            azure_native.web.NameValuePairArgs(name="FUNCTIONS_WORKER_RUNTIME", value="python"),  # Language of the Functions, set to Python
            # Additional settings can be added here as needed.
        ]
    ),
    kind="functionapp",
    location=resource_group.location,
)

pulumi.export("function_app_name", function_app.name)
pulumi.export("default_hostname", function_app.default_host_name)
```

This code will create a new Azure Function App bound to a serverless consumption plan, ensuring you only pay for what you use. The HTTPS-only setting is turned on by default, meaning the function app will only accept secure connections.

If you decide to set up a custom domain with your own TLS/SSL certificates, you can further extend this Pulumi program by handling custom domain registration and certificate binding. To do so, you'll need to have your custom domain and certificate available in Azure, and add the necessary configurations to the `WebApp` resource within the same pulumi program. You can find more details on custom domains and certificates on the [official Azure documentation page](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate).

Remember to replace placeholder values with your actual resource names and configuration details.