Table of Contents
Introduction
Real-World Scenario: Healthcare Claims Processing at Scale
Setting Application Settings in Azure Function Apps
Monitoring Azure Function Performance in Production
Complete Implementation with Observability
Best Practices for Enterprise Deployments
Conclusion
Introduction
In enterprise cloud environments, Azure Functions are rarely just “hello world” scripts. They power mission-critical workflows—processing insurance claims, reconciling financial transactions, or ingesting IoT telemetry. Two foundational concerns for any senior cloud architect are: how to securely manage configuration, and how to observe performance in real time.
This article tackles both using a realistic, high-stakes scenario from the healthcare domain, with production-grade code and observability patterns used in Fortune 500 deployments.
Real-World Scenario: Healthcare Claims Processing at Scale
Imagine a U.S.-based health insurer processing 500,000+ electronic claims daily. Each claim arrives as a JSON payload via Azure Service Bus. A function must:
Validate the claim against HIPAA-compliant rules
Enrich it with patient data from a secured FHIR API
Store it in Cosmos DB
Emit metrics for compliance auditing
This pipeline runs 24/7 across multiple regions. Misconfigured secrets or undetected latency spikes could delay reimbursements—or violate regulatory requirements.
![PlantUML Diagram]()
Setting Application Settings in Azure Function Apps
In Azure Functions, application settings are environment variables injected at runtime. Never hardcode secrets or endpoints.
Correct Approach: Use Azure Key Vault + Managed Identity
# requirements.txt
azure-functions
azure-identity
azure-keyvault-secrets
# __init__.py
import os
import logging
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
def get_secret(secret_name: str) -> str:
key_vault_uri = os.environ["KEY_VAULT_URI"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=key_vault_uri, credential=credential)
return client.get_secret(secret_name).value
def main(msg: func.ServiceBusMessage):
try:
# Securely fetch settings
fhir_api_url = get_secret("FhirApiEndpoint")
cosmos_conn_str = get_secret("CosmosDbConnectionString")
claim = msg.get_body().decode('utf-8')
logging.info(f"Processing claim: {claim[:100]}...")
# Business logic here (validation, enrichment, storage)
# ...
except Exception as e:
logging.error(f"Claim processing failed: {str(e)}")
raise
Infrastructure-as-Code (Bicep)
// function-app.bicep
param location string = resourceGroup().location
param keyVaultName string
resource funcApp 'Microsoft.Web/sites@2023-12-01' = {
name: 'claims-processor-prod'
location: location
kind: 'functionapp'
properties: {
serverFarmId: appServicePlan.id
siteConfig: {
appSettings: [
{
name: 'KEY_VAULT_URI'
value: 'https://${keyVaultName}.vault.azure.net/'
}
{
name: 'FUNCTIONS_WORKER_RUNTIME'
value: 'python'
}
{
name: 'AzureWebJobsStorage'
value: '...' // from storage account
}
]
http20Enabled: true
minTlsVersion: '1.2'
}
}
identity: {
type: 'SystemAssigned'
}
}
// Grant Function App access to Key Vault
resource kvAccess 'Microsoft.KeyVault/vaults/accessPolicies@2023-02-01' = {
name: '${keyVaultName}/add'
properties: {
accessPolicies: [
{
tenantId: tenant().tenantId
objectId: funcApp.identity.principalId
permissions: {
secrets: ['get', 'list']
}
}
]
}
}
Key Insight: Never store secrets in local.settings.json in source control. Use Managed Identity + Key Vault for zero-secret deployments.
Monitoring Azure Function Performance in Production
Observability isn’t optional—it’s a compliance requirement in healthcare.
Enable Application Insights (Built-in)
In host.json:
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"maxTelemetryItemsPerSecond": 5
},
"enableLiveMetrics": true,
"enableDependencyTracking": true
}
},
"functionTimeout": "00:10:00"
}
Custom Metrics & Distributed Tracing
import logging
from azure.monitor.opentelemetry import configure_azure_monitor
# Enable OpenTelemetry-based monitoring
configure_azure_monitor(
connection_string=os.environ["APPLICATIONINSIGHTS_CONNECTION_STRING"]
)
logger = logging.getLogger(__name__)
def main(msg: func.ServiceBusMessage):
from opentelemetry import trace
tracer = trace.get_tracer(__name__)
with tracer.start_as_current_span("process_claim") as span:
span.set_attribute("claim.id", msg.message_id)
span.set_attribute("queue.name", msg.metadata["MessageReceiver"])
start_time = time.time()
# ... processing logic ...
duration = time.time() - start_time
# Custom metric
from azure.monitor.opentelemetry.exporter import AzureMonitorMetricExporter
exporter = AzureMonitorMetricExporter()
exporter.export([
{
"name": "ClaimProcessingDuration",
"value": duration,
"dimensions": {"region": os.environ.get("REGION", "unknown")}
}
])
logger.info("Claim processed successfully", extra={"duration_sec": duration})
Critical Alerts (via Azure Monitor)
Create alert rules for:
Failures: exceptions/count > 0 over 5 minutes
Latency: customMetrics/ClaimProcessingDuration > 8s (P95)
Throttling: dependencies/resultCode == "429"
Use Action Groups to page on-call engineers via Teams/SMS.
Complete Implementation with Observability
Deploy with secure config, full tracing, and alerts:
# Deploy with Bicep
az deployment group create --resource-group claims-rg --template-file function-app.bicep --parameters keyVaultName=claims-kv-prod
# Set non-secret app settings
az functionapp config appsettings set \
--name claims-processor-prod \
--resource-group claims-rg \
--settings "REGION=eastus" "LOG_LEVEL=INFO"
All secrets remain in Key Vault. All telemetry flows to Application Insights with end-to-end transaction tracing.
![1]()
Best Practices for Enterprise Deployments
Never commit secrets – Use Managed Identity + Key Vault
Enable Live Metrics – For real-time debugging during incidents
Set functionTimeout – Prevent runaway executions
Use custom dimensions – Tag telemetry by region, tenant, or data sensitivity
Alert on business metrics – Not just CPU/memory (e.g., “claims processed per minute”)
Rotate secrets automatically – Use Key Vault auto-rotation with Azure Policy
Conclusion
In regulated industries like healthcare, how you configure and monitor serverless functions is as important as the logic itself. By combining:
…you build systems that are not only scalable but also auditable, compliant, and resilient.
As a senior cloud architect, your job isn’t to write functions—it’s to ensure every function in production is observable, secure, and accountable. The code above is your blueprint.