4

I have an azure function hosted on an (S1) App Service Plan. The Azure Function is integrated to a VNet subnet. This subnet has Microsoft.Storage and Microsoft.Web service endpoints enabled, and also it's delegated to Microsoft.Web/serverFarms

On the other hand, the storage account is configured to accept request only from the same subnet the azure function is part of.

Unfortunately, that doesn't work. When I try to communicate with the storage account from the Azure function, I get the below error

2020-02-18T02:03:03.505 [Error] Faliure Occured
Azure.RequestFailedException : This request is not authorized to perform this operation.
RequestId:0b034a99-701e-002c-09ff-e5bd0a000000
Time:2020-02-18T02:03:03.1177265Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 0b034a99-701e-002c-09ff-e5bd0a000000
x-ms-client-request-id: 0bbe8185-4657-47f3-8566-5bcbd16c4274
x-ms-error-code: AuthorizationFailure
Date: Tue, 18 Feb 2020 02:03:02 GMT
Content-Length: 246
Content-Type: application/xml

   at Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync_CreateResponse(ClientDiagnostics clientDiagnostics,Response response)
   at async Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync(ClientDiagnostics clientDiagnostics,HttpPipeline pipeline,Uri resourceUri,String version,Nullable`1 timeout,String leaseId,String requestId,Boolean async,String operationName,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at async Azure.Storage.Blobs.BlobContainerClient.GetPropertiesInternal(BlobRequestConditions conditions,Boolean async,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Storage.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Blobs.BlobContainerClient.GetProperties(BlobRequestConditions conditions,CancellationToken cancellationToken)
   at SharedLib.Utils.TestStorageAccountAccess() at D:\poc-code\NetworkSecurityPoc\SharedLib\Utils.cs : 13
   at async MessengerFunction.Trigger.Run(HttpRequest req,ILogger log) at D:\poc-code\NetworkSecurityPoc\MessengerFunction\Trigger.cs : 25

But when I disable the vnet restriction on the storage account, everything works.

What could I be doing wrong?

Thank you.

AbuShokry
  • 189
  • 1
  • 12
  • Do you use Regional virtual network integration or gateway required? Is the Azure function apps running on Windows or Linux? – Nancy Feb 18 '20 at 02:21
  • I'm using the Regional virtual network integration (the one that says "preview"). and the function app is running on Windows. Actually my Vnet doesn't have a gateway subnet. – AbuShokry Feb 18 '20 at 03:55
  • It should no other resource used in the integrated subnet except for azure function. Also, it's recommended to use [this template](https://github.com/ScottHolden/ARMExamples/blob/master/AppService-VnetNew-Storage/deploy.json) to automatically deploy it. – Nancy Feb 18 '20 at 04:52
  • If you uncheck the `Microsoft.Web` service endpoints enabled in the subnet, Does it work? – Nancy Feb 18 '20 at 08:06
  • I've unchecked the Microsoft.Web in my current setup, but it still didn't work. I've also deployed the referenced template as is, and also didn't work – AbuShokry Feb 18 '20 at 10:16
  • How do you verify the communication with the storage account from the Azure function? I think It should use a private endpoint with an internal IP address in the dedicated subnet instead of the public endpoint from your Azure function to the storage account. – Nancy Feb 18 '20 at 10:22
  • I'm using something very simple to verify the communication. `BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString); var containerx = blobServiceClient.GetBlobContainerClient("container-x"); containerx.GetProperties(); // Exception throws here` – AbuShokry Feb 18 '20 at 10:25

2 Answers2

0

The below documentation might help why this is happening: From MS documentation: When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can't currently use any virtual network restrictions on this account. If you configure a virtual network service endpoint on the storage account you're using for your function app, that configuration will break your app. Reference: enter link description here

Rajesh
  • 31
  • 7
0

I would say it's networking problem as per here Function networking So set WEBSITE_VNET_ROUTE_ALL to 1 then it should work..

Bassam Gamal
  • 713
  • 2
  • 8
  • 24