App Service, Functions, Logic Apps + WAF + APIM API Protection
Securing Azure's serverless and platform-as-a-service tier β authentication, network access, and managed-identity patterns for App Service / Functions / Logic Apps, plus Azure Web Application Firewall and API Management back-end API protection.
The platform-services tier in one module
Azureβs PaaS tier β App Service, Functions, Logic Apps β runs huge amounts of production traffic. Each has its own security surface, but the common patterns repeat:
- Authentication (βEasy Authβ) β built-in identity provider integration so apps donβt have to roll their own login. Microsoft Entra ID is the default; can layer additional providers.
- Network access β public access on/off, VNet integration outbound, Private Endpoints inbound, IP restrictions, access restrictions on advanced tiers.
- Managed identity β for outbound auth to Key Vault, Storage, Cosmos, Service Bus, etc. Same pattern as VMs and containers.
- WAF β Azure Web Application Firewall in Application Gateway or Azure Front Door, in front of the app. Inspects HTTP/HTTPS for common attacks (OWASP Top 10 patterns, bot detection).
- API Management β gateway in front of back-end APIs (including AI Gateway from Module 18) for authentication, rate limiting, JWT validation, response filtering.
App Service, Functions, Logic Apps β the common controls
| Control area | What you configure |
|---|---|
| Authentication | App Service Authentication ('Easy Auth') with Microsoft Entra ID as default IdP β gates the app without code changes; can layer Google/Facebook/GitHub/OpenID Connect for B2C-style scenarios |
| Inbound network | Public access on/off; for off β Private Endpoint into a customer VNet (uses `privatelink.azurewebsites.net` DNS zone). IP-based access restrictions can layer in until Private Endpoint is in place |
| Outbound network | VNet integration (regional, into a delegated subnet) β outbound traffic from the app routes through the VNet. Combined with Storage / Key Vault / SQL service endpoints or Private Endpoints, gives controllable outbound posture |
| Identity | System-assigned or user-assigned managed identity for outbound auth to Key Vault, Storage, SQL, Cosmos, Service Bus, etc. |
| TLS | Minimum TLS version (1.2 by default in 2026); HTTPS-only enforced; managed certificates or BYO via App Service Certificate / Key Vault |
| FTP / Kudu | Disable FTP unencrypted, restrict FTPS / SCM access via IP rules β the management surface is a frequent target |
| App Service Environment v3 | Single-tenant isolated environment, fully VNet-integrated, used for regulated workloads requiring tenant isolation at the underlying compute level |
Function-specific notes
- Function-level keys β Functions support function/host/master keys for unauthenticated invocation (the
?code=...query param pattern). The SC-500 right answer for production: disable anonymous functions and use Easy Auth + Entra ID or front the Function with APIM and JWT-validate at the gateway. - Trigger-level identity β for managed-identity-based triggers (Service Bus, Event Hubs, etc.), the Function can authenticate to the trigger source via its own managed identity rather than a connection string.
Logic Apps-specific notes
- Standard plan vs Consumption plan: Standard runs in a Functions-like single-tenant container with managed identity support; Consumption is multi-tenant with fewer security primitives.
- Connectors can use managed identity for many Azure services; for SaaS connectors, OAuth and stored credentials are typical β keep stored creds in Key Vault references.
Azure Web Application Firewall (WAF)
WAF is the inspection layer for HTTP(S) traffic. Two deployment surfaces:
- Application Gateway WAF (regional) β pairs with App Gateway v2 in a customer VNet. Best for apps that already use App Gateway for L7 load balancing and require regional ingress.
- Azure Front Door Premium with WAF (global) β global edge, anycast network, integrated WAF, DDoS protection, Private Link backends. Best for internet-facing apps requiring global distribution.
Rule sets
- Microsoft Default Rule Set (DRS) β Microsoft-curated managed rule set; default starting point.
- OWASP Core Rule Set (CRS) β community-maintained ModSecurity rules; multiple versions available.
- Bot manager rule set β categorises traffic as Good Bot / Bad Bot / Unknown.
- Custom rules β per-WAF rules combining match conditions (IP, geo, header, body, query string) with actions (Allow, Block, Log, Redirect, Rate limit).
Modes
- Detection mode β logs traffic that would be blocked; doesnβt block. Safe rollout.
- Prevention mode β blocks matched traffic. Production.
The βreport-only first, then enforceβ pattern from Conditional Access applies here too.
Azure API Management β back-end API protection
APIM is the policy-driven API gateway. Beyond the AI-specific gateway patterns from Module 18, the general SC-500-tested API protection patterns:
| Protection | APIM policy / pattern |
|---|---|
| API key authentication | Subscription keys per consumer + `validate-subscription-key` policy |
| OAuth 2.0 / JWT validation | `validate-jwt` policy β verifies signature, issuer, audience, scopes/roles, expiry |
| Rate limiting | `rate-limit-by-key` and `quota-by-key` β limits per subscription, per IP, per JWT claim |
| IP filtering | `ip-filter` policy β allow or deny by CIDR |
| Back-end mTLS | `authentication-certificate` policy β APIM presents a client certificate to the back-end |
| Back-end auth via managed identity | `authentication-managed-identity` policy β APIM authenticates to Azure-hosted back-ends (Functions, Logic Apps, etc.) via its own managed identity |
| Request/response transformation | `set-header`, `rewrite-uri`, `set-body` β strip sensitive headers, mask response fields |
| Network isolation | APIM in VNet mode (Internal or External), Private Endpoint support, IP allowlists on developer portal |
| Secrets management | Named values can reference Key Vault secrets (managed identity-based access to KV) |
The 'APIM + Function App + Easy Auth' chain
A common production pattern that shows up in SC-500 scenarios:
- External consumers authenticate to APIM via OAuth 2.0; APIM
validate-jwtpolicy checks token signature, audience, scopes. - APIM applies rate limiting (
rate-limit-by-key) per consumer subscription. - APIM authenticates to the Function App back-end via APIMβs own managed identity (via
authentication-managed-identitypolicy). - The Function App has Easy Auth enabled requiring Microsoft Entra ID; the only acceptable caller is APIMβs managed identity.
- The Function uses its own managed identity to read secrets from Key Vault and write to Cosmos DB.
Result: no stored credentials anywhere in the chain; each hop authenticates via Entra-issued tokens; consumer rate limits enforced at the gateway; back-end Function never directly internet-exposed.
This chain is the SC-500 reference architecture for a secure, observable, governable API.
Scenario: Dom protects an MSSP customerβs payments API
A Kestrel Cyber Co-op customer is exposing a payments API to fintech partners. Dom designs the security stack:
- Application Gateway WAF in front of all ingress, in Prevention mode. Microsoft Default Rule Set + bot manager + custom rules for known-bad CIDRs and country geo-filter.
- Azure API Management behind App Gateway WAF, internal mode (no public IP on APIM itself).
- APIM policies on the payments API:
validate-jwtagainst the customerβs Entra ID β signature, audience, scopepayments.write, expiry.rate-limit-by-keybased on Entra app ID claim β 100 requests / minute / partner;quota-by-key100,000 requests / month / partner.ip-filterallowing only the registered partner IP ranges (defense in depth on top of JWT).authentication-managed-identityto the back-end Function App.
- Function App back-end: Easy Auth with Entra ID, only accepting calls from APIMβs managed identity. VNet-integrated for outbound; Private Endpoint for inbound. Function uses its own managed identity for Key Vault (payment-processor API key) and Cosmos DB (transaction store).
- Defender for App Service plan enabled; combined with Defender for Cloudβs secret scanning to ensure no plaintext leaks.
- WAF logs to Sentinel via diagnostic settings β Dom builds custom detections for high-rate JWT failures, suspicious header patterns, attempted SQL injection in payment fields.
The end-to-end chain: WAF inspects β APIM authenticates and rate-limits β managed-identity to back-end β Easy-Auth-protected Function β managed identity for downstream Azure services. No stored credentials. Every hop attributable. Logs in Sentinel.
Key terms
Knowledge check
Esme at Northwind Bank's public payments API uses Azure Functions behind APIM. She wants APIM to authenticate to the Function App without any stored client secret. Which APIM policy fits?
Ravi at Maple Genomics is deploying a public-facing API and needs WAF protection plus global edge distribution. Which combination fits?
Asha at Aurora Health Service is hardening a Function App that processes inbound patient referrals. Public access must be disabled; the only acceptable callers are an internal APIM instance in the hospital VNet. Which configuration matches?
Domain 3 wrap-up
Eight modules covered:
- 4 AI security modules (the SC-500 differentiator)
- VM hardening (encryption, Bastion, JIT, Trusted Launch, Machine Configuration)
- Defender for Servers + Azure Arc (hybrid + multicloud onboarding)
- Defender for Containers (AKS / ACR / ACI / Container Apps)
- App Service / Functions / Logic Apps + WAF + APIM
Next is Domain 4 β Manage and monitor security posture (20β25%). Six modules: Defender for Cloud CSPM, multicloud + EASM + vulnerability management, Microsoft Sentinel foundations, Sentinel event collection, Sentinel automation and Purview Audit, and Microsoft Security Copilot.