3

We have time triggered Azure Function deployed on portal to perform some iterative task at specific time. Our azure function uses the database deployed on Azure VM via connection string provided at AppSettings. The function throws following error on running:

MySql.Data: Authentication to host 'xxx' for user 'xxx using method 'mysql_native_password' failed with message: Client with IP address 'x.x.x.x' is not allowed to connect to this MySQL server. MySql.Data: Client with IP address 'x.x.x.x' is not allowed to connect to this MySQL server*

When we white-list the IP mentioned in error message, the function runs successfully. But since the azure function has no determined work-station or PC of same IP that handles the execution, whenever the function runs from new IP, it throws the error back. Therefore, we require a mechanism by which we can white-list all IPs of PCs that will be running our function app OR some better mechanism to authenticate and allow azure function to access our database hosted on Azure VM.

What we tried?

  • We white-listed the Virtual IP address of the function app. But it doesn't work every time.

  • We tried to white-list the IP ranges obtained from Microsoft Datacenter of the region in which our function app is deployed. But this method also didn't work.

  • Azure application can't access database on Azure VM?

Thus, is there any way by which azure function can access our database deployed on Virtual machine securely?

I have opened up the issue on github but no reply yet from there.

Jan_V
  • 4,244
  • 1
  • 40
  • 64
Karan Desai
  • 3,012
  • 5
  • 32
  • 66
  • In my mind, you can either use a classic app service for your function app (you will have a static outbound ip adresses) or use Azure database for mysql rather than a VM – Thomas Mar 05 '18 at 11:29
  • Hmmm, it appears that vnet security group rules don't have managed service identity integration... apologies - I've deleted my answer. I agree with Thomas: you'll need to have an azure mysql instance (and possibly then use managed service identity) – Nathan Mar 07 '18 at 08:48

2 Answers2

4

Finally, after thorough researching, found the solution.

One need to white-list all Outbound IPs of Function App in Virtual Machine where DB is deployed. The outbound IP address can be found from resources.azure.com. On searching your resource (in my case Function app's name), there will be a long json output from where you have to pick possibleOutboundIpAddresses parameter as shown in the image. Whitelist all Ips and then your azure function app can access your database deployed on virtual machine.

Also, I searched whether these IPs tend to change on regular basis or not. While I didn't find any official word from it, but from various internet sources I came to know that even if the IPs gets planned to be changed ever, everyone will get enough notifications before that to prevent any problems.

Image

Karan Desai
  • 3,012
  • 5
  • 32
  • 66
1

You need to set up a Virtual Network (VNet) where both your App Service Plan hosting the Azure Function and the VM participate.

Then from Azure Functions, view All Properties > Networking and you should see the virtual network to connect.

This method doesn't require you to whitelist IP addresses for your VM and secures your VM by allowing only internal network traffice.

Note that your Azure Function must be set up on an App Service Plan, rather than on a Consumption plan.

June Lau
  • 151
  • 2
  • 9