3

Problem Outline

Azure Function App can not be accessed once it is integrated into a VNET and WEBSITE_VNET_ROUTE_ALL is set to 1.

This is required so that the Function App can securely connect to SQL without making the SQL publicly available.

Errors:

Unable to list Function App keys.

enter image description here

HTTP Request (CURL) from within VM in same network fails: 504 Gateway Timed out

enter image description here

Architectural Diagram

enter image description here

Steps to reproduce

  1. Create a Resource Group
  2. Create a VNET with 10.20.11.0/26 address space
  3. Create a Subnet for the Function App to integrate into with address range of 10.20.11.0/27
  4. Create a Linux Function App and integrated in the VNET you created in step 2.
  5. See that App keys still loads as normal.
  6. Create a Subnet for the database with address range of 10.20.11.32/27
  7. Create SQL Server and SQL Database.
  8. Create a Private Link with DNS Zone on the Database and restrict public access.
  9. Link DNS Zone to VNET created in step 2.
  10. Function app resolved SQL private link as public IP address.
  11. In the Function App configuration, add an Application setting WEBSITE_VNET_ROUTE_ALL and set it to 1.
  12. See that Function app now resolves SQL private link as private IP address
  13. See that Function App keys are not loading.
  14. Attempt to connect to Azure Functions though a connection from the network or from public link.
  15. See that Function app gateway times out.

Through an SSH connection into the Function App and with nslookup we determined that the connection to the private link resolves the local IP address of the SQL database as expected.

Setting the WEBSITE_VNET_ROUTE_ALL flag to 0, nslookup resolves the public IP of the SQL database.

As the SQL database is restricted and only available on the network, it is vital that the WEBSITE_VNET_ROUTE_ALL setting is set to 1.

WEBSITE_VNET_ROUTE_ALL = 1

enter image description here

WEBSITE_VNET_ROUTE_ALL = 0

enter image description here

References

https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

Gerrit van Huyssteen
  • 698
  • 5
  • 16
  • What is your end question here, exactly? Is this actually related to programming, as the problem appears to be more related to Azure and permissions and functionality there, which may well not be on topic for SO. – Thom A Sep 08 '20 at 10:05

1 Answers1

6

This was resolved by adding a "Microsoft.Storage" service endpoint to the Function App subnet.

When all of the traffic is sent into the vnet, it needs a service endpoint to Storage so that it can read the Function App configuration and functions.

  1. Navigate to your Virtual Network resource
  2. In the side menu, under Settings, select "Service endpoints"
  3. Click on "Add"
  4. Select "Microsoft.Storage" from the Service dropdown
  5. Add policies if needed (I did not select any policies here)
  6. Associate the Function App subnet
  7. Add.
Gerrit van Huyssteen
  • 698
  • 5
  • 16
  • Could you elaborate please? I am facing the same issue. – CB_Ron Oct 20 '20 at 22:15
  • 2
    @CB_Ron I added more detail. Hope it helps. – Gerrit van Huyssteen Oct 21 '20 at 05:47
  • I had exactly the same problem like 3 months ago with almost the same configuration (difference was that I had private endpoint for an IoT Hub and not for an SQL database). I've tried to reproduce this error again (just to investigate some things) but now it works everytime even without service endpoint. Could you try to reproduce error from your initial question (so without adding service endpoint)? Because it looks like it might got fixed in the meantime (I think the necessity of adding Microsoft.Storage service endpoint wasn't documented anywhere). – kamilz Feb 03 '21 at 20:34
  • thank you @Gerrit van Huyssteen, you saved my day – Minh Aug 28 '23 at 11:56