Hi,
To your rescue you have Premium Plan from Functions : https://github.com/Azure/Azure-Functions/tree/master/functions-premium-plan. You can ignore ASE (App Service Environment). I have seen enough issues there with ASE so I would avoid it personally.
There are multiple things here, Restricting from IP based like what you mentioned firewall/NSG/ACL.... but typical questions we ask ourselves for functions are
Who is allowed to access it, should that be AAD user? Then integrate it accordingly - Programatically possible
Extenal users trying to ping the functions HTTP endpoint? Then layer to protect, similar to WAF
Internal Users but only specific group? Check the Roles
Internal Users from specific region? Why not abstract it with API Management?
Is Functions allowed to ping backend? Why not use Managed Service Identity
This is just a small set, but as I mentioned checkout Premium plan from Functions along with other requirements to fully secure Functions.
Hope that could make sense :)
Cheers
K
Koushik