2

I want to publish my Azure function through VS 2017.

It works fine, but after I activate the firewall on the linked Storage Account I can't deploy my project anymore. I already checked the FW-Settings, it seems okay (no proxy etc.).

I got some ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER Errors.

The given advice from topic doesn't works for me. Not able to publish website on Windows Azure using publish through VS2010.

Any other advice?

Meitoasty
  • 77
  • 1
  • 7
  • How do you activate the firewall on the linked Storage Account? Do you allow the on-premise network? – Nancy Aug 03 '18 at 09:15
  • storage account -> firewalls and virtual networks -> selected networks - add ip ranges -> with my outgoing ip | no virtual networks are configured in azure – Meitoasty Aug 03 '18 at 09:34
  • I test in my site and it works fine, you could refer to this [article](https://learn.microsoft.com/en-us/iis/publish/troubleshooting-web-deploy/web-deploy-error-codes#errorinsufficientaccesstositefolder) to troubleshoot. – Joey Cai Aug 03 '18 at 09:39
  • The Error Code doesnt make any sense to me... If it would be a question about missing rights, it leads to the question: Why does it only throw errors when the fw is active? – Meitoasty Aug 03 '18 at 09:49
  • You can check if set a valid public IP [there](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range). Or, restart the VS 2017, re-publish again? – Nancy Aug 03 '18 at 09:58
  • The ip adress is valid and the same as i grant access to my cosmos db (cosmos suggests me this adress). | restart doesn't help – Meitoasty Aug 03 '18 at 10:40
  • It seems to be a problem on azure site. When the Firewall is active, i cant access the functions in the azure portal. I hit the checkboxes in the FW configuration, but the problem persists.... – Meitoasty Aug 03 '18 at 10:52
  • Do you use consumption plan or app service plan ? – Jerry Liu Aug 03 '18 at 10:52
  • im using an app service plan – Meitoasty Aug 03 '18 at 10:55
  • @Meitoasty Could you please try to stop function app before deployment? It looks like you have a lock on filesystem level when deploying. – Roman Patutin Aug 03 '18 at 13:19
  • @patutin ... thanks for your help but this isnt the problem. I think the problem results from the insuffient access from functions to storage, but I dunno where why the function app cannot reach the storage account... When the fw on the storage account is active i even cant create a new function in function apps. – Meitoasty Aug 04 '18 at 09:21
  • I also tried to create a new function on the storage but it says 403 forbidden. do i need another storage account? – Meitoasty Aug 04 '18 at 09:26
  • i tried to resolve it with a second storage account, but it doesnt work either. the app can't access the storage account (all shown ips are virtual ips!). – Meitoasty Aug 04 '18 at 12:29
  • Any further ideas? – Meitoasty Aug 04 '18 at 20:24
  • @Meitoasty Weird, I know this happens when your function app is on consumption plan. Could you check `App Service plan / pricing tier` blade under your function app `Overview` panel, Is it `YourPlanName(Consumption)`? – Jerry Liu Aug 06 '18 at 01:52
  • My current App has Consumption plan (would be the prefered way) | also tested it with an app plan :/.... You say you know that this would happen under consumption plan? How can i fix it? – Meitoasty Aug 06 '18 at 07:06

1 Answers1

3

Solution:

Create a Storage Account which is not in the same region as your function app. For example, if your Function is in Central US, the Storage Account should select a different one like East US. Then modify the following three parameters(in Application settings) with new created Storage Account Connection String.

  1. AzureWebJobsDashboard
  2. AzureWebJobsStorage
  3. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING (only used for Consumption plan)

Configure its Firewall with Function app outbound IP addresses.

  1. On Platform features panel of your Function app, click Resource Explorer.

  2. Find outboundIpAddresses and add all of them to Firewall IP list.

  3. Don't forget to add your local IP if you want to visit Storage Account using Azure Portal. (Not necessary for deployment from VS).

Explanation:

Can only reproduce the INSUFFICIENT_ACCESS for a Function hosted on Consumption plan.

About this problem, the biggest difference between App service and Consumption plan is how they host function files.

For an App service plan, function files we publish or create on portal are stored on some Azure server. Adding firewall settings to Storage Account used by AzureWebJobsDashboard(store function logs in tables) and AzureWebJobsStorage(store function host locks in container), has no influence on function deployment.

While for Consumption plan, function files are stored on the Storage Account specified by WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. When we publish from VS or create functions on portal, function files are deployed from function site to Storage Account. We met the error as we don't add function app IPs to Storage firewall white list.

As for why we have to create the Storage in a region different from Function app's, based on my tests, function seems not leverage the outbound IPs when they two locate at the same region. See some one on GitHub got the same result.

Jerry Liu
  • 17,282
  • 4
  • 40
  • 61