Original Post Read More
Azure Functions is a serverless computing platform that enables developers to build and run code without the need to worry about infrastructure. One key aspect of using Azure Functions is choosing the right hosting and networking options to support your application’s needs.
Choose the right hosting option
There are several hosting options available for Azure Functions, each with its own set of benefits and trade-offs. These options include the Consumption, the Elastic Premium, and App Service plans. In this article, we will take a closer look at each of these options and discuss the factors to consider when choosing the right one for your needs.
The Consumption plan is a pay-per-use option that charges you only for the time that your Functions are executing, based on metrics such as number of executions, execution time, and memory used. This can be a desirable choice for applications that only need to run occasionally, as it can help you save money by only paying for what you use.
Things to keep in mind with the Consumption plan are:
It can have longer cold start times, which can impact the performance of your Functions.
Execution duration, with default timeout duration of five minutes, and you can increase it up to ten.
If you need faster cold start times, longer execution duration and a higher level of performance and scale, the Elastic Premium plan might be a better option.
Elastic Premium plan
The Premium plan provides dedicated resources and faster cold start times due to always ready and pre-warmed instances, making it an excellent choice for applications that require higher level of performance and scale. The Premium plan also offers additional features such as larger and more powerful Virtual Machines to run your Functions, and the multiple Networking features to control and lock ingress (incoming) and egress (outgoing) traffic.
However, the Premium plan is more expensive than the Consumption plan, so it is important to carefully consider whether the additional features are worth the cost. If you do not need the additional features and resources offered by the Premium plan, the Consumption plan might be a more cost-effective option.
Use the right SKU
If you are using the Premium hosting option, you can choose from several different SKUs, each with its own combination of CPU cores, memory, and storage. Choosing the right SKU can have a significant impact on the performance of your Functions.
There are three SKUs available on the Premium plan: EP1, EP2, and EP3.
The EP1 SKU has 210 ACU (Azure Compute Units), 1 core and 3.5 GB of memory, the EP2 SKU has 420 ACU, 2 cores and 7 GB of memory, and the EP3 SKU has 840ACU, 4 cores and 14 GB of memory. The storage for all three SKUs is 250 GB.
Azure Compute Units
When choosing an SKU, consider the type of workload that your Functions app will be running. If your application requires a lot of CPU-intensive processing, you might want to choose a higher-end SKU with more cores. On the other hand, if your application is primarily I/O-bound, you might be able to get by with a lower-end SKU.
App Service plans
In addition to the Consumption and Premium plans, Azure Functions can also be hosted on an App Service plan. This allows you to run your Functions alongside other web applications on the same infrastructure, which can be a cost-effective option if you have multiple applications that share the same resources.
However, keep in mind that App Service plans do not offer the same level of performance and scale as the Elastic Premium plan, so they may not be suitable for all workloads. If you need the highest level of performance and scale, the Premium plan might be a better option.
App Service Environment (ASE) V3
For even more control over your network environment, you can use an App Service Environment (ASE) V3. It is deployed within your own Azure Virtual Network subnet, giving you full control over your network.
Using an ASE allows you to run your Functions in a fully isolated and dedicated environment, providing an additional layer of security and control. However, keep in mind that this option is more expensive than other hosting options, so it is important to carefully consider whether the additional features are worth the cost.
Networking Options for Azure Functions
In addition to choosing the right hosting option, you can also use networking options to control inbound and outbound traffic for your Azure Functions.
Control inbound traffic
To control inbound traffic, you can use Azure Private Endpoint to block internet traffic to your function and only allow traffic from an Azure Virtual Network. Private Endpoint is a network interface that connects your function privately and securely to a service powered by Azure Private Link.
In addition to using Private Endpoint, you can also use access restrictions configuration, which are equivalent to a firewall allowing you to block and filter traffic. Access restrictions allow you to specify IP address ranges or Azure Virtual Network subnets that are allowed or denied access to your function app.
Most App Service pricing tiers also have the ability to add private endpoints to the app, which is an additional entry point to it. Access restrictions do not apply to traffic entering through a private endpoint. For all apps hosted on App Service, the default entry point is publicly available. The only exception is apps hosted in Internal Load Balancing (ILB) App Service Environment where the default entry point is internal to the virtual network.
When traffic reaches the App Service, it will first evaluate if the traffic originates from a private endpoint or is coming through the default endpoint. If the traffic is sent through a private endpoint, it will be sent directly to the site without any restrictions. Restrictions to private endpoints are configured using network security groups.
If the traffic is sent through the default endpoint (often a public endpoint), the traffic is first evaluated at the site’s “Allow public access” setting. Here you can either enable or disable public access. If site access is enabled, the traffic will be evaluated at the app access level. For any app, you will have both the main site and the advanced tools site (also known as scm or kudu site). You have the option of configuring a set of access restriction rules for each site.
Control outbound traffic
To control outbound traffic, you can use the VNET (Virtual Network) integration feature to access virtual network resources, such as Azure Storage and Key Vault via private endpoint (RFC1918 IP addresses) from your Function App. You can also use the VNET_ROUTE_ALL feature to route all traffic to the internet through an Azure Virtual Network.
There are plenty of configuration options that you can use to control networking for your Azure Functions. One example is the WEBSITE_CONTENTOVERVNET setting, which allows you to specify whether your function app’s content (i.e., code, static files) should be served over a virtual network. By default, this setting is set to 0, meaning your functions app’s content is not served over a virtual network. If you set this setting to 1, your function app’s content will be served over a virtual network with the help of Virtual network integration feature.
Another configuration option is the WEBSITE_VNET_ROUTE_ALL setting, which allows you to specify whether all outbound traffic from your function app should be routed through a virtual network. By default, this setting is set to 1, meaning that traffic is routed through a virtual network. If you set this setting to 0, all outbound traffic will be routed to the internet directly.
It is important to note that these configuration options are only applicable if you choose to host your function app on a Premium plan or an App Service plan with VNET integration enabled.
In summary, there are several hosting and networking options available for Azure Functions, each with its own set of benefits and trade-offs. It is important to carefully consider your application’s needs and choose the option that best fits those needs. Additionally, you can use configuration options to further control networking for your function app.