Skip to main content

AppDefender for Azure Functions

Prerequisites

  1. a license key. Get one if you don't have one already.
  2. information about your Azure function:
    1. Azure Functions runtime, e.g. C# .NET 6.0
    2. AppDefender is supported on runtime version 4.x for Linux only in languages C#, Javascript, Java and Python. Reference our support Matrix for more details.
  3. permission to deploy a new version of your function with AppDefender enabled

Configure AppDefender

Install and import library

How you include the AppDefender packages depends on the development and deployment environments you use. Typically you would install the AppDefender dependency locally first, but remote or CI/CD options are also supported. Sample installation steps are shown below. Make sure to replace the version numbers below with the latest.

Node.js

  1. install the AppDefender npm package, which updates the package.json file. See Azure documentation for more details.
    package.json
    {
       "main": "index.js",
       "dependencies": {
          ...
          "@extrinsec/appdefender": "latest"
       }
    }
  2. import AppDefender in your function entry point script/scriptFile, e.g.
    index.js
    const appdefender = require('@extrinsec/appdefender');

Python

  1. install the AppDefender Python package, which updates the requirements.txt file. See Azure documentation for more details.
    requirements.txt
    appdefender
  2. import AppDefender in your function entry point script/scriptFile, e.g.
    main.py
    import appdefender

Java

  1. update your project configuration file for your build system to include the AppDefender Java package. See Azure documentation for more details. Sample Maven pom.xml file shown below:

    pom.xml
       <dependencies>
          <dependency>
             <groupId>com.extrinsec</groupId>
             <artifactId>appdefender</artifactId>
             <version>0.4.1</version>
          </dependency>
       ...
       <dependencies>

  2. import and enable AppDefender in your function @FunctionName's entryPoint method, e.g.

    MyFunction.java
    import com.extrinsec.AppDefender;

    // enable appdefender in the entryPoint method
    AppDefender.enable();

C#

  1. update your project configuration file to include the AppDefender Nuget package. See Azure documentation for more details.

    MyProject.csproj
    <Project Sdk="Microsoft.NET.Sdk">
       ...
       <ItemGroup>
          <PackageReference Include="AppDefender" Version="0.4.1">
             <IncludeAssets>all</IncludeAssets>
          </PackageReference>
       </ItemGroup>
    </Project>

  2. import and enable AppDefender in your function entry point (decorated with FunctionName attribute), e.g.

    MyFunction.cs
    using AppDefenderSDK;

    // enable appdefender in the handler function
    AppDefender.enable();

Set environment variables

  1. add the following environment variables to your serverless function/application

    • ES_LICENSE_KEY=your license key
    • ES_POLICY_GROUP_NAME=name of your policy group, use observeAll.ability if you have a temporary license key

Configure Policy Groups

  1. if you have a registered account, then you can create and edit your own policy groups
  2. if you have a temporary license key, then please use either the observeAll.ability public policy group or register for a free account and create your own custom policy group
  3. each policy group contains instructions for AppDefender during execution:
    1. Grant, Observe, or Deny access to any combination of the following:
      1. outbound network traffic from the serverless function/application process
      2. read/write on the /tmp/ or application directories
      3. create/spawn child processes
    2. whether to terminate serverless serverless function/application execution for any deny event
    3. whether to allow all cloud provider traffic if outbound data is set to deny. Note: you must upgrade your free plan in order to enable this feature
      1. this is cloud provider specific, so if you are running on GCF and this option is set, all Google Cloud traffic would be allowed
    4. a custom list of allowed domains if outbound data is set to deny
      1. domain names are matched as contains by default, e.g. stripe (contains) would match stripe.com as well as m.stripe.com
      2. wildcards can also be used, e.g. *.amazonaws.com (end with) or labmda.* (starts with)
      3. multiple domains are comma separated
      4. AppDefender performs DNS resolution to act on all IP addresses matching the specified domain names
    5. A optional description field for you to document the purpose or other details of the policy group Policy Group Edit
  4. create as many policy groups as you have unique needs. There is no limit on how many policy groups you may have
  5. once a policy group is updated, the changes are automatically picked up by any AppDefender protected application during its next start/restart

View Your Functions and Events

  1. if you have a registered account, you can view all your functions/applications in the dashboard automatically, as reported by AppDefender. The cloud provider information, as well as the language runtime and policy group used, are all shown
  2. you can also view all events as detected by AppDefender in the dashboard
    1. each event is a observe or deny occurrence as outlined in the section above. Note: grant policies don't generate events
    2. events are reported by the AppDefender to your dashboard in real time. You can use event reporting to better understand the actions of your functions/applications, as well as inform you on how to better customize your policy groups
    3. events are kept for different durations depending on your current pricing plan