Guarding Azure Functions: Serverless Meets Secure-by-Design Containers

If you're running production workloads in the cloud, chances are you've encountered the joys and quirks of serverless compute – and for many teams, that means using Azure Functions. 

But while the benefits of functions-as-a-service (FaaS) are undeniable (hello, zero-provisioning), the container images powering them are often riddled with vulnerabilities, have opaque provenance, and require significant engineering headcount to manage. That's where we come in.

At Chainguard, our mission is to be the safe source for open source. That means building trusted, secure-by-design container images continuously from source with minimal components and low-to-zero CVEs – which we back up with an enterprise SLA for CVE remediation (7 days for critical, 14 days for high). Today, we have a catalog of 1,400+ Chainguard Containers that help customers reduce the engineering toil required to manage open source artifacts, secure their open source footprints in production, and simplify continuous compliance. 

Now, we’re bringing that same ethos of security and engineering efficiency to the world of Azure Functions.

Why Azure Functions? 

Azure Functions is a popular choice for event-driven architectures – think scheduled jobs, message queue processing, and simple HTTP APIs – all without having to manage infrastructure. But under the hood, they still rely on container images to do the heavy lifting. And those images? Often bloated, often vulnerable, and almost always opaque.

So, we thought: what if you could have the convenience of serverless and the confidence of a trusted, traceable image built from the ground up for security?

Spoiler: now you can.

Say Hello to Secure Azure Functions with Chainguard Containers

Developers often want to build fully serverless applications – with multiple triggers and bindings. But they need a trusted Node.js base image with a few additional components to make that a reality. That’s why we built a customized Node.js base image that can deploy Azure functions. Here are the core components of that image:

• The Node.js runtime

• Azure Functions Host

• Node.js Worker for Functions

• Host compatibility and extension bundles 

The components ensure support for core triggers and bindings without any extra weight or unnecessary packages. And it makes some classic Azure Functions possible. For example: 

• HTTP Functions: A classic “Hello, {name}” endpoint to test basic request/response flows.

• Queue + Table Function: Triggers on queue messages and writes entries to a storage table.

• Timer + Twilio Function: Runs every 3 minutes and sends an SMS using Twilio (yes, complete with secrets stored securely via environment variables).

All of these capabilities are wired together with real Azure resources: Storage Account, Container Registry, Managed Identity, Container App Environment, and Application Insights for observability.

And deploying your serverless application with Azure Functions is easy. You can follow the steps below: 

1. Build the function container using a Dockerfile.

2. Push it to Azure Container Registry.

3. Deploy to Azure as a Container App running Azure Functions (note: this is the only way to run custom images in Functions).

4. Set up Managed Identity with the right roles (pull from ACR, read/write from storage).

5. Patch the default Microsoft Function App config to use the Chainguard image.

And voilà – your Functions are now running with a Chainguard container image.

Observability & Performance

Each function writes to Azure Application Insights, and logs appear within ~5-10 minutes. You can verify runs, trigger invocations manually, and inspect the table and queue output directly.

Oh, and yes – it all just works. Exactly like the default Microsoft image, but with tighter control, fewer moving parts, and drastically fewer CVEs.

Zero to Serverless, Without Compromise

If you're already using Azure Functions, swapping in Chainguard container images doesn’t require any heroic refactors. Just point your deployment to our image and proceed as usual – but with the peace of mind that comes from running secure-by-default software.

For teams already embracing containers and Kubernetes, this unlocks an additional layer of flexibility in serverless architecture without compromising security posture. It's serverless, the Chainguard way.

Ready to Start Building?

Our Azure Functions image is available now. Want to run your own serverless workloads on hardened containers? Reach out or check out the docs to get started.