Network isolation features are available on the Enterprise tier only. Enterprise deployments use Private Endpoints, full VNet integration, Azure Monitor Private Link Scope (AMPLS), and private DNS zones to ensure all traffic stays within your network perimeter.
Overview
| Layer | Trial / Professional | Enterprise |
|---|---|---|
| Function App inbound | Public endpoint + EasyAuth | Private Endpoint (inbound restricted to VNet) |
| Table Storage | Authenticated access (Entra ID + RBAC) | Private Endpoint — default deny from public networks |
| Log Analytics | Public endpoint, Entra ID + RBAC auth required | Private-only via AMPLS (ingestion + queries) |
| App Insights | Public endpoint, Entra ID + RBAC auth required | Private-only via AMPLS |
| Outbound traffic | Public internet | All outbound routed through VNet integration |
| DNS | Azure public DNS | 6 private DNS zones (storage, web apps, 4 Azure Monitor zones) |
Function App Private Endpoint
On Enterprise, the Function App is deployed with a Private Endpoint that restricts inbound access to your VNet. The public endpoint is disabled — requests from outside the VNet are rejected at the network layer, before authentication.
Requirements
- A VNet with a dedicated subnet for the Function App private endpoint
- Private DNS zone:
privatelink.azurewebsites.netlinked to the VNet
DNS Resolution
After deployment, the Function App hostname (e.g., func-vaultguard360.azurewebsites.net) resolves to the private IP address within your VNet via the private DNS zone. Users outside the VNet who attempt to access the URL will receive a connection refused or DNS resolution failure.
Note:
login.microsoftonline.com(Entra ID) must remain reachable from user workstations for the EasyAuth login redirect to complete. This is the public Microsoft identity endpoint and does not pass through your VNet.
VNet Integration (Outbound)
The Function App uses regional VNet integration to route all outbound traffic through your VNet. This means:
- Calls to Azure Key Vault APIs route through the VNet
- Calls to Azure Storage route through the VNet
- Calls to Azure Monitor (Log Analytics, App Insights) route through the VNet
- Outbound email and webhook notifications route through the VNet (subject to your network egress rules)
Configure WEBSITE_VNET_ROUTE_ALL=1 (set automatically by the ARM template) to route all outbound traffic, not just RFC 1918 addresses.
Table Storage Private Endpoint
On Enterprise, Azure Table Storage is deployed with a Private Endpoint and the public network access is set to Deny. Storage traffic from the Function App flows through the VNet integration → Private Endpoint path.
The private DNS zone privatelink.table.core.windows.net is created and linked to the VNet automatically by the ARM template.
Azure Monitor Private Link Scope (AMPLS)
Enterprise deployments create an Azure Monitor Private Link Scope configured with PrivateOnly access mode for both ingestion and queries. After AMPLS is configured, the ARM template disables public network access on the Log Analytics workspace:
publicNetworkAccessForIngestion: DisabledpublicNetworkAccessForQuery: Disabled
All telemetry and log queries flow through the AMPLS Private Endpoint within the VNet. The Function App reaches Log Analytics and App Insights via VNet integration → Private Endpoint → AMPLS — never over the public internet.
AMPLS Resources Deployed
| Resource | Purpose |
|---|---|
Microsoft.Insights/privateLinkScopes | Groups Log Analytics workspace + App Insights under private link |
| Scoped resource: Log Analytics workspace | Enables private ingestion and queries |
| Scoped resource: App Insights | Enables private telemetry ingestion |
Private Endpoint (azuremonitor group) | VNet entry point for all Azure Monitor traffic |
Private DNS Zones
Enterprise deployments create 6 private DNS zones linked to the VNet:
| DNS Zone | Purpose |
|---|---|
privatelink.azurewebsites.net | Function App private endpoint |
privatelink.table.core.windows.net | Table Storage private endpoint |
privatelink.monitor.azure.com | Azure Monitor (AMPLS) |
privatelink.oms.opinsights.azure.com | Log Analytics workspace (OMS agent) |
privatelink.ods.opinsights.azure.com | Log Analytics workspace (ODS ingestion) |
privatelink.agentsvc.azure-automation.net | Azure Monitor agent service |
These zones are created and VNet-linked automatically by the ARM template.
Existing DNS Zone Conflict
Warning: If your VNet already has Azure Monitor Private DNS zones linked (from an existing AMPLS deployment), the Enterprise deployment may fail due to conflicting VNet links. In this case, select "Use existing DNS zones" during the deployment wizard. This option skips DNS zone creation and uses your pre-existing zones.
Network Security Groups (NSG) Recommendations
If you use NSGs on the subnets used by VaultGuard360 Private Endpoints, allow the following inbound traffic:
| Rule | Source | Destination | Port | Protocol |
|---|---|---|---|---|
| Allow HTTPS from VNet | VirtualNetwork | Function App private IP | 443 | TCP |
| Allow HTTPS from corporate network | Your corporate IP range | Function App private IP | 443 | TCP |
For the AMPLS and Storage private endpoints, the Function App connects outbound — no inbound NSG rules are needed for those.
Log Explorer with Private Endpoints
The Log Explorer dashboard page works identically on Enterprise. The Function App proxies KQL queries to Log Analytics using its managed identity via the private endpoint — users query logs through the dashboard without needing direct workspace access or private network access to Log Analytics.
Baseline Security Controls (All Tiers)
Regardless of tier, all deployments enforce:
- HTTPS only, TLS 1.2 minimum
- No inbound ports besides HTTPS (443)
- Security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Cache-Control
- SSRF protection on webhook and SMTP targets
- Request payload size limits with input validation
Risk Assessment: Trial / Professional Network Access
Log Analytics and App Insights have public network access enabled on Trial and Professional tiers (the Azure platform default). The residual risk is low:
| Factor | Detail |
|---|---|
| Authentication required | All access requires valid Entra ID credentials with an active session |
| Authorization required | RBAC Reader role on the workspace must be granted |
| Workspace ID not public | The workspace GUID is inside the managed resource group — not discoverable from public endpoints |
| Data sensitivity | The workspace contains application telemetry and scan audit entries — no secret values |
An external attacker would need (1) the workspace GUID, (2) valid Entra ID credentials in your tenant, and (3) RBAC Reader role on the workspace. Customers requiring network-level isolation for Log Analytics should use the Enterprise tier.