What are the ways to secure Azure functions
By default azure functions are public . So you deploy them and the endpoint is available publicly via the address on the function. As you mentioned , you can set function level access, which means you need to pass an access key. So they are kind if protected.
There are some other options though:
You can build functions inside a vnet using the azure environment service. But for this you pay good money and you have to use the service plan version of azure functions.
I have combined API Management with functions. API Management is a way to expose your apis to consumers but maintain lots of control over the usage. The Api Management component does not prevent the public azure address being available but I have implemented pattern in code which checks for a special token which is appended to a http request as part of the app management pass-through. Or alternatively you can set IP restrictions on the Function app to allow traffic only from the API Management endpoint. (IP Address) So effectively you can only go to the function via the app management.
Just a note on the above, Azure portal has removed the ability to set IP restrictions via the standard functions network tab. So you need to go into the resource explorer and set the IP restrictions manually in the web config section.
Lastly , you could set up an oauth server and validate the token in the function or in an api management component or both.
AZURE ASE (App Service Environment) is way too expensive for only 5 functions. You can secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function. You can find more details here:Whitelisting in Azure Functions
This is all in addition to having token based or AAD based authentication and authorization (like 'Noel' mentioned in the previous reply).
The best way to protect your Azure Functions is by AAD or authentication server you trust.If that is not feasible, probably because you are consuming these functions from Console or App does not support the authorization code flow, or used by users who do not exist in your AAD, then use APIM.The technique provided by @Noel below is powerful and it is needed to restrict access to your functions only from APIM.(Functions should not be anonymous, and there is no need to have any authorization code aside from the APIM code)Now think how to protect the APIM.You have multiple options, but probably you can consider the client certificate as means of proper authentication.At the end, consumers need to have something to authenticate them (password, certificate, device, or anything) .. So setting a policy to check and existence of a certificate and finding a way to validate that certificate can help protecting your APIM.The question now becomes about protecting the APIM and here you have many policy-based options.Hope that helps. (Also don't forget to consider other solutions provided by Noel above)