Documentation

Cloud Connector for Azure Deployment Guide

Deploy the Trusted Signatures Azure Function in your own subscription for direct PDF requests or Blob Storage-based sealing workflows.

  • Azure Function deployment
  • Direct and storage modes
  • Customer subscription boundary
Azure Connector Overview API Reference Book Demo

Azure proof

Use Azure Functions and Blob workflows for fast integration with enterprise controls

The documented Azure pattern combines Azure Functions, direct and Blob Storage modes, and Microsoft-native security controls so teams can support application and Power Automate workflows inside their own subscription.

Trust & Standards

50 MB

speed path

Direct mode supports request-body PDF sealing for documents up to 50 MB when teams want a simple application call path.

Blob

scale model

Blob Storage mode supports larger files and reusable storage-based workflows, including Power Automate-driven handoff.

AAD

security controls

The docs cover Key Vault, Azure AD, API Management, IP restrictions, and network controls for production rollout.

Digest

data boundary

The Function computes the digest locally and only the signing digest leaves your Azure environment.

Deployment Guide

This document walks you through deploying the Trusted Signatures sealing Function to your own Azure subscription. It assumes general development experience but minimal Azure knowledge.

This is the guide for deploying Cloud Connector for Azure.

The connector provides businesses with a scalable, cost-effective API in their own infrastructure to seal even the most sensitive documents. By deploying the connector in their own Azure subscription, customers have assurance that none of the information in the documents can be intercepted or modified.

Cloud Connector for Azure is deployed as an Azure Function. Customers can either send PDFs directly in HTTP requests (up to 50MB) or use Azure Blob Storage for larger files, invoke the Function, and receive the sealed PDF back.

Architecture Overview

Process Flow - Direct Mode

Process Flow - Storage Mode

1. Prerequisites

  1. Azure Subscription access with rights to create resource groups, Storage Accounts, and Function Apps.
  2. Tools installed locally (any OS):
    • Node.js 22.x and npm
    • Azure CLI (az)
    • Azure Functions Core Tools v4 (func)
  3. Trusted Signatures credentials (API Key in hex string and API Key ID).
  4. Source package from Trusted Signatures (zip or repository checkout).

2. Get the Release Bundle

  1. Download the latest trusted-signatures-function.zip from Trusted Signatures (created via npm run bundle on our side).
  2. Extract it to a working directory, e.g., ~/ts-gateway:
    1
2

    unzip trusted-signatures-azure-gateway-v1.0.0.zip -d ~/ts-gateway
cd ~/ts-gateway/trusted-signatures-azure-gateway-v1.0.0
  3. The package contains:
    • Ready-to-deploy Azure Function code (function/)
    • Azure deployment templates (deployment/)
    • Power Automate integration files (power-automate/)
    • Complete documentation (docs/)
  4. No build or compilation steps are required; the function code is ready to deploy.

3. Provision Azure Resources

Choose one of the following deployment paths:

Option A – Bicep Template (recommended)

1
2
3
4

az deployment group create \
  --resource-group <resource-group> \
  --template-file deployment/main.bicep \
  --parameters saName=<storage-name> functionAppName=<function-app> location=<azure-region>

Example:

1
2
3
4

az deployment group create \
  --resource-group ts-rg \
  --template-file deployment/main.bicep \
  --parameters @deployment/main.parameters.json

This provisions:

  • Storage Account (V2, Standard_LRS)
  • Linux Consumption Function App (Node 22)
  • (Optional) Application Insights

Option B – Quick CLI Script

1

bash deployment/deploy.azcli <resource-group> <region> <storage-account-name> <function-app-name>

This script performs the same tasks as the Bicep template but with fewer customization points.

Note: Storage account name must be globally unique and lowercase (3–24 chars) regardless of option used.

4. Configure App Settings (Optional Defaults)

By design, each request supplies the Trusted Signatures API Key/ID, so no secrets are required in App Settings. However, you may configure optional defaults (e.g., API endpoint) in the Azure Portal:

  1. Open the Function App ➜ Configuration ➜ Application settings.
  2. Add entries such as DEFAULT_TS_ENDPOINT=https://api.trusted-signatures.com.
  3. Reference them in code if you choose to customize (the default build already expects endpoint per request, so this step is optional).

5. Publish the Function

From your local project directory, choose one deployment method:

Option A: Azure Functions Core Tools (Recommended)

1
2

cd function
func azure functionapp publish <function-app-name>

Option B: Manual Deployment

1
2

cd function
func azure functionapp publish <function-app-name>

Verify deployment in the Azure Portal (Function App ➜ Functionsseal-pdf should appear).

6. Test the Endpoint

Use curl or Postman:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

curl -X POST https://<function-app>.azurewebsites.net/api/seal-pdf \
  -H "Content-Type: application/json" \
  -d '{
    "pdf": "<base64-encoded pdf>",
    "apiKey": "<hex API key>",
    "apiKeyId": "<API key ID>",
    "endpoint": "https://api.trusted-signatures.com",
    "tsaTimestamp": true,
    "includeLtv": false,
    "limitChanges": "allow-forms"
}'

Expect a binary PDF response with Content-Type: application/pdf.

Errors are returned as:

1

{ "error": "Human readable message" }

7. Share with Power Automate

Provide the HTTPS endpoint (https://<function-app>.azurewebsites.net/api/seal-pdf) and the OpenAPI definition (power-automate/swagger.yaml) to the flow author. See power-automate/power-automate-usage.md for step-by-step instructions.

8. Networking and Storage Requirements

Outbound Network Access

The Azure Function requires outbound HTTPS access to:

  • Trusted Signatures API (default: api.trusted-signatures.com:443)
    • Used for PDF sealing operations
    • Customer-configurable endpoint via request parameter
  • Azure Storage (your storage account)
    • Required for Azure Functions runtime operation
    • Automatically configured during deployment
  • Application Insights (optional, if enabled)
    • For telemetry and monitoring
    • Can be disabled if not needed

Firewall Configuration: If your Azure environment uses Network Security Groups or Azure Firewall:

  • Allow outbound HTTPS (port 443) to *.trusted-signatures.com
  • Allow outbound access to your Azure Storage account
  • Allow outbound access to Application Insights endpoints (if enabled)

Storage Requirements

Azure Storage Account (Required):

  • Purpose: Azure Functions runtime requires storage for:
    • Function app content and configuration
    • Runtime state and scaling decisions
    • Temporary files during execution
  • Type: Standard_LRS (locally redundant storage)
  • Size: Minimal usage - typically <1GB for the function itself
  • Data: No customer PDFs are persisted - all processing is in-memory

No Persistent Storage:

  • PDFs are processed entirely in memory
  • No customer data is written to disk or storage
  • Sealed PDFs are returned directly in the HTTP response

9. Security Configuration

IMPORTANT: You are responsible for securing the gateway in your environment. The Function is deployed with anonymous HTTP access to work with Power Automate, but you should restrict access to only your authorized users. All users will need valid Trusted Signatures API keys to use the service.

Option 1: IP Address Restrictions (Simplest)

  1. Azure Portal → Function App → Networking → Access Restrictions
  2. Add Power Automate service IP ranges for your region
  3. Block all other traffic
  • ✅ Easy to configure, no code changes
  • ⚠️ Power Automate IPs are shared across customers

Option 2: Azure AD Authentication (Recommended)

  1. Azure Portal → Function App → Authentication
  2. Add Microsoft identity provider
  3. Restrict to your Azure AD tenant
  4. Update custom connector authentication settings
  • ✅ True user-level security with audit trail
  • ⚠️ Requires updating connector auth configuration

Option 3: Function Keys

  1. Change function authLevel from anonymous to function in code
  2. Generate function-specific keys in Azure Portal
  3. Configure custom connector with the key
  • ✅ Simple, built-in Azure feature
  • ⚠️ Shared key model, not user-specific

Option 4: VNet Integration (Enterprise)

  1. Deploy Function App with VNet integration
  2. Configure private networking
  3. Connect Power Automate via VNet peering
  • ✅ Network-level isolation
  • ⚠️ Complex setup, requires networking expertise

Security Best Practices

  • Monitor access logs via Application Insights
  • Rotate API keys regularly
  • Use least-privilege access for Azure resources
  • Enable diagnostic logging for audit trails
  • Consider API Management for enterprise scenarios

10. Operations Tips

  • Scaling: Consumption plan scales automatically from 0 to 200+ instances based on demand
  • Billing: Pay only for actual usage - $0 when idle, ~$0.000016 per PDF (monitor your Azure billing for specifics in your region)
  • Monitoring: Enable Application Insights for detailed logging and performance metrics
  • Regional deployment: Deploy in your preferred region for lower latency and data residency

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing