Governance Policies Azure Web Functions - Azure/az-prototype GitHub Wiki
Governance policies for Functions
Domain: azure-web
| Name | Description |
|---|---|
| Function App with managed identity and Key Vault references | Standard Function App deployment with identity-based storage, Key Vault secret references, and monitoring |
| Description | Instead |
|---|---|
| Do not store connection strings in Function App Settings as plaintext | Use Key Vault references: @Microsoft.KeyVault(SecretUri=...) |
| Do not use Consumption plan when VNet integration is required | Use Premium plan (EP1+) or App Service plan for VNet-integrated functions |
| Do not use in-process model for C# functions | Use isolated worker model with Microsoft.Azure.Functions.Worker.Sdk |
- Azure Functions security
- Functions networking options
- Functions isolated worker model
- WAF: Azure Functions service guide
- Functions error handling and retries
- Functions reliability
| Check | Severity | Description |
|---|---|---|
| AZ-FN-001 | Required | Create Azure Functions app with HTTPS-only, TLS 1.2, managed identity, and Key Vault references |
| AZ-FN-002 | Required | C# Azure Functions must use the isolated worker model (not in-process) |
| AZ-FN-003 | Recommended | Use Consumption plan for event-driven, variable workloads; Premium for VNet or sustained load |
| AZ-FN-004 | Recommended | Enable Application Insights for function monitoring and distributed tracing |
| AZ-FN-005 | Recommended | Use durable functions or Service Bus for long-running orchestrations |
| AZ-FN-006 | Recommended | Use Premium plan (EP1+) or Flex Consumption when VNet integration is required |
| AZ-FN-007 | Recommended | Enable availability zone support for critical function apps |
| AZ-FN-008 | Recommended | Configure automatic retries for transient errors on function triggers |
| AZ-FN-009 | Recommended | Enable diagnostic settings to Log Analytics workspace |
Create Azure Functions app with HTTPS-only, TLS 1.2, managed identity, and Key Vault references
Severity: Required
Rationale: Baseline security configuration prevents cleartext transmission, enables identity-based access, and eliminates secret sprawl
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Web/sites
C# Azure Functions must use the isolated worker model (not in-process)
Severity: Required
Rationale: In-process model is deprecated; isolated worker provides better performance, dependency isolation, and long-term support
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent
- Microsoft.Web/sites
Use Consumption plan for event-driven, variable workloads; Premium for VNet or sustained load
Severity: Recommended
Rationale: Consumption plan has cold starts but costs nothing at idle; Premium (EP1+) provides VNet integration
Agents: cloud-architect, cost-analyst
- Microsoft.Web/sites
Enable Application Insights for function monitoring and distributed tracing
Severity: Recommended
Rationale: Functions are inherently distributed — observability is critical for debugging
Agents: cloud-architect, terraform-agent, bicep-agent, monitoring-agent, app-developer, csharp-developer, python-developer
- Microsoft.Web/sites
Use durable functions or Service Bus for long-running orchestrations
Severity: Recommended
Rationale: Regular functions have a 5-10 minute timeout; durable functions handle complex workflows
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Web/sites
Use Premium plan (EP1+) or Flex Consumption when VNet integration is required
Severity: Recommended
Rationale: WAF Security: Consumption plan does not support VNet integration or private endpoints; Premium/Flex Consumption provides private networking and prewarmed instances to minimize cold starts
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Web/sites
Enable availability zone support for critical function apps
Severity: Recommended
Rationale: WAF Reliability: Zone-redundant deployment provides protection against datacenter-level failures through automatic failover across availability zones
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Web/sites
Configure automatic retries for transient errors on function triggers
Severity: Recommended
Rationale: WAF Reliability: Automatic retries reduce the likelihood of data loss or interruption from transient failures, improving reliability without custom code
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Web/sites
Enable diagnostic settings to Log Analytics workspace
Severity: Recommended
Rationale: Captures function execution logs, errors, and performance metrics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Web/sites
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-function-app | Diagnostic settings for Function App to Log Analytics |