Azure Linux Function App is a serverless computing service that allows you to run event-driven code without provisioning or managing servers.
You can use Azure Linux Function App to build scalable and highly available applications that can handle a large volume of requests.
The service supports a wide range of programming languages, including C#, Java, JavaScript, and Python.
Azure Linux Function App provides a free tier that allows you to run up to 1 million requests per month for free.
Azure Linux Function App Basics
To set up an Azure Function App on Linux, it's essential to specify it as a Function App, Linux, and a Container functionapp,linux,container. This tells Azure what type of app you're creating.
You'll also need to set the FUNCTIONS_EXTENSION_VERSION to ~3, which is a requirement for both Linux and Windows hosted Function Apps. Don't worry, it's a straightforward step.
When choosing a Linux image, you have options like DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0.13130-appservice, which I've personally used and can attest works well.
Microsoft
Microsoft plays a significant role in Azure Linux Function App, particularly when it comes to authentication settings. You can exclude certain paths from the unauthenticated_action when it's set to RedirectToLoginPage, which is useful for controlling access to your app.
One of the key settings is LinuxFunctionAppAuthSettingsMicrosoft, which helps you manage authentication. LinuxFunctionAppAuthSettingsMicrosoftArgs is another important setting that allows you to specify the paths to exclude from the unauthenticated_action.
To authenticate your app, you'll need to create an OAuth 2.0 client secret, which is stored in an app setting name called LinuxFunctionAppAuthSettingsV2MicrosoftV2. This setting is crucial for authenticating users through Microsoft's V2 authentication method.
You can also assign a User Assigned Managed Identity to your Linux Function App, which is a list of IDs stored in LinuxFunctionAppAuthSettingsV2MicrosoftV2Args. This managed identity provides your app with an identity to authenticate with Microsoft services.
assistant
As you explore Azure Linux Function App, you'll notice the importance of authentication settings. Specifically, the default authentication provider to use when multiple providers are configured is crucial, and it can be set to AzureActiveDirectory, Facebook, Google, MicrosoftAccount, Twitter, or Github.
Authentication providers like Azure Active Directory require a specific OpenID Connect Issuer URI, which represents the entity that issues access tokens for the Linux Web App. This value is usually the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/.
When using Azure Active Directory, it's essential to note that the unauthenticated_client_action should be set to "RedirectToLoginPage" for the default authentication provider to take effect.
If you're using a custom OIDC provider, you'll need to specify the Default Authentication Provider to use when the unauthenticated_action is set to RedirectToLoginPage. This can be set to apple, azureactivedirectory, facebook, github, google, twitter, or the name of your custom_oidc_v2 provider.
For GitHub Login, you'll need to specify the app setting name that contains the client_secret value used for GitHub Login. This is required when the type is set to UserAssigned or SystemAssigned, UserAssigned.
Similarly, for Apple Login, you'll need to specify the app setting name that contains the client_secret value used for Apple Login.
For Google Login, you'll need to specify the app setting name that contains the client_secret value used for Google Login. It's worth noting that URLs within the current domain are always implicitly allowed.
Authentication settings can be complex, but understanding the basics will help you navigate the process with ease.
Why to Read This Tutorial
This tutorial is tailored to help you set up your app on the Linux Consumption plan, which is a great starting point since you're not charged flat fees, only for when your code runs.
The Consumption plan is a popular choice for Azure Functions, and it's the plan I used for my experiments, so you can learn from my experiences.
You'll find that the principles in this tutorial can be applied to other Azure Functions plans, making it a valuable resource for anyone looking to get started.
The tutorial highlights solutions specific to the Consumption plan, so you can avoid common pitfalls and get up and running quickly.
Deployment and Setup
To deploy your Azure Linux function app, you'll need to run the `func azure functionapp publish` command in your terminal. This command publishes your project files as a .zip deployment package to the function app in Azure.
The command will overwrite existing files in the remote function app deployment, so make sure you have a backup of your project files. You'll also need to have already created a function app in your Azure subscription.
To create a function app, you can use the Azure CLI or Azure PowerShell, or you can create it in the Azure portal. If you try to publish to a function app that doesn't exist, you'll get an error.
Here are some key things to keep in mind when using the `func azure functionapp publish` command:
- Publishing overwrites existing files in the remote function app deployment.
- You must have already created a function app in your Azure subscription.
- A project folder may contain language-specific files and directories that shouldn't be published, which are listed in a .funcignore file in the root project folder.
- By default, your project is deployed so that it runs from the deployment package, but you can disable this by using the --nozip option.
- A remote build is performed on compiled projects, but you can control this by using the --no-build option.
- You can use the --publish-local-settings option to automatically create app settings in your function app based on values in the local.settings.json file.
- To publish to a specific named slot in your function app, use the --slot option.
Using Containers
You can host your function app containers in Azure using various options.
Azure Container Apps is a recommended hosting option for running containerized function apps on Azure. It provides integrated support for developing, deploying, and managing containerized function apps on Azure Container Apps.
You can host your function app containers in Azure Functions by running the container in either an Elastic Premium plan or a Dedicated plan.
Kubernetes is another option for hosting your function app containers. However, running your containerized function apps on Kubernetes is an open-source effort that you're responsible for maintaining yourself.
Here are some key benefits of using Azure Container Apps:
- Integrated support for developing, deploying, and managing containerized function apps
- Managed Kubernetes-based environment with built-in support for open-source monitoring, mTLS, Dapr, and KEDA
- Supports scale-to-zero and provides a servless pay-for-what-you-use hosting model
- You can also request dedicated hardware, even GPUs, by using workload profiles.
Azure Functions also supports containerized function apps, but it requires more manual configuration compared to Azure Container Apps.
To host your function app containers in Azure, you need to specify the container image you want to use in the siteConfig.linuxFxVersion property of your ARM template. You can pull the image from Docker Hub, but you need to use a recent tag of the image, such as 3.0.13130-appservice.
Binding Extensions
Binding Extensions are essential for connecting your Functions to Azure services. They make it easier to work with triggers and bindings without having to use service-specific client SDKs.
Functions triggers and bindings are implemented as .NET extension (NuGet) packages, which must be installed in the project to be used. This applies to C# class library projects, where you need to add references to the specific NuGet packages for the binding extensions required by your functions.
For C# script (.csx) projects, you must use extension bundles, which are versioned and defined in the host.json file. Your host.json should already have extension bundles enabled, but if you need to add or update the extension bundle, you can do so by following the instructions in the documentation.
Extension bundles make it easy to work with binding extensions in your project, but if you need to use a binding extension or an extension version not in a supported bundle, you may need to manually install extensions. In rare cases, you can use the func extensions install command to manually install extensions.
Here are some key considerations for working with binding extensions:
- For C# class library projects, add references to the specific NuGet packages for the binding extensions required by your functions.
- For C# script (.csx) projects, use extension bundles defined in the host.json file.
- Extension bundles are versioned and defined in the host.json file.
- Manual installation of extensions may be required for rare scenarios.
Download
Download is a crucial part of the deployment and setup process for Azure Functions.
You can download application settings from Azure using the func azure functionapp fetch-app-settings command. This command overwrites any existing settings in the local.settings.json file with values from Azure.
Consider encrypting the local.settings.json file for improved security during development.
To download a storage connection string, use the func azure storage fetch-connection-string command. This command adds a setting to the local.settings.json file containing the connection string for the specified storage account.
The command to download a storage connection string is easy to use and adds a setting with the account name followed by _STORAGE to the local.settings.json file.
Security and Identity
You can configure the identity of your Azure Linux Function App using LinuxFunctionAppIdentity, which requires that the FUNCTIONS_WORKER_RUNTIME application setting is not present.
To authenticate with Azure Active Directory, you'll need to set up LinuxFunctionAppAuthSettingsV2ActiveDirectoryV2, including the Azure Tenant Endpoint and the App Setting name for the client secret.
If you're using LinuxFunctionAppAuthSettingsV2ActiveDirectoryV2, make sure a setting with the specified name exists in app_settings for it to function correctly.
Active Directory
Active Directory is a crucial component of Azure's security and identity management. The Azure Tenant Endpoint is used for authenticating tenants, and it's formatted like this: https://login.microsoftonline.com/{tenant-guid}/v2.0/.
To authenticate with Active Directory, you'll need to have a setting with a specific name containing the client secret of the client. This setting must exist in app_settings for it to function correctly.
The Azure Tenant Endpoint is used to authenticate tenants, and it's essential to have the correct format, which includes the tenant GUID.
Identity
Identity is a crucial aspect of security, and Azure Functions has specific requirements to ensure it's handled correctly.
If you're using LinuxFunctionAppIdentity, you must not have an application setting called FUNCTIONS_WORKER_RUNTIME.
Having a clear understanding of identity settings is essential to avoid potential issues with your Azure Functions application.
Encrypt Local File
Encrypting your local settings file is a crucial step in securing your sensitive data. You can use Core Tools to encrypt the local.settings.json file for improved security.
Core Tools helps you encrypt this local settings file automatically, and you can also encrypt the file manually for added security. This ensures that your connection strings and other valuable data are protected.
To encrypt the local settings file, use the following command: `func settings encrypt`. This command will automatically encrypt the file for you.
You can also decrypt an encrypted local setting using the following command: `func settings decrypt`. This allows you to work with the settings without having to manually decrypt the file.
The file's IsEncrypted setting also gets updated when the settings file is encrypted and decrypted. This ensures that you can keep track of the file's encryption status.
Here's a summary of the encryption and decryption commands:
Sources
- https://jan-v.nl/post/2020/deploying-azure-functions-on-a-linux-service-plan/
- https://learn.microsoft.com/en-us/azure/azure-functions/container-concepts
- https://www.pulumi.com/registry/packages/azure/api-docs/appservice/linuxfunctionapp/
- https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local
- https://tomaskohl.com/code/2022/automated-deployment-linux-azure-functions-app/
Featured Images: pexels.com