Security features for network communication
After the template deployment, security features are automatically enabled and configured as described in the following sections.
Firewalls are set for IP address ranges and the VNet. The firewall only allow interactions with the DB tables from the FortiGate subnet, Function App additional outbound IP addresses, and user-defined IPv4 IP ranges.
To view the firewalls, load the Cosmos DB. From the Settings section of the left navigation tree, click Networking and then click Firewall and virtual networks.
The IP addresses listed in the Firewall section include the set of all possible Function App outbound IP addresses as obtained from the Additional Outbound IP Addresses field of the Function App Properties. To view these IP addresses, load the Function App, click the Platform features tab and then click Properties. Each IP address in the list has been added as an entry in the Cosmos DB firewall.
If Function App Additional Outbound IP Addresses change, the Cosmos DB firewall must be manually updated so that each IP address has a corresponding entry in the Cosmos DB firewall. Any IP address not listed in the Cosmos DB firewall will be blocked, thus causing the Autoscale function to be blocked. For details on when Function App outbound IP addresses change, refer to the Microsoft article When outbound IPs change.
Requests are restricted by source. Incoming requests are only allowed from the FortiGate subnet and from user-defined IPv4 IP ranges.
To view Access Restrictions, load the Function App. In the right hand pane, click the Platform features tab and then click All settings. From the Settings section of the left navigation tree, click Networking and then click Configure Access Restrictions.
The service endpoints for Azure services are enabled. Service endpoints should be enabled for the minimum number of Azure services required for Autoscale.