Azure Deployment Firewall Problems

2
votes

I want to publish my Azure function through VS 2017.

It works fine, but after I activate the firewall on the linked Storage Account I can't deploy my project anymore. I already checked the FW-Settings, it seems okay (no proxy etc.).

I got some ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER Errors.

The given advice from topic doesn't works for me. Not able to publish website on Windows Azure using publish through VS2010.

Any other advice?

1
visual-studioazureazure-storageazure-functions
How do you activate the firewall on the linked Storage Account? Do you allow the on-premise network?Nancy Xiong
storage account -> firewalls and virtual networks -> selected networks - add ip ranges -> with my outgoing ip | no virtual networks are configured in azureMeitoasty
I test in my site and it works fine, you could refer to this article to troubleshoot.Joey Cai
The Error Code doesnt make any sense to me... If it would be a question about missing rights, it leads to the question: Why does it only throw errors when the fw is active?Meitoasty
You can check if set a valid public IP there. Or, restart the VS 2017, re-publish again?Nancy Xiong

1 Answers

3
votes

Solution:

Create a Storage Account which is not in the same region as your function app. For example, if your Function is in Central US, the Storage Account should select a different one like East US. Then modify the following three parameters(in Application settings) with new created Storage Account Connection String.

  1. AzureWebJobsDashboard
  2. AzureWebJobsStorage
  3. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING (only used for Consumption plan)

Configure its Firewall with Function app outbound IP addresses.

  1. On Platform features panel of your Function app, click Resource Explorer.

  2. Find outboundIpAddresses and add all of them to Firewall IP list.

  3. Don't forget to add your local IP if you want to visit Storage Account using Azure Portal. (Not necessary for deployment from VS).

Explanation:

Can only reproduce the INSUFFICIENT_ACCESS for a Function hosted on Consumption plan.

About this problem, the biggest difference between App service and Consumption plan is how they host function files.

For an App service plan, function files we publish or create on portal are stored on some Azure server. Adding firewall settings to Storage Account used by AzureWebJobsDashboard(store function logs in tables) and AzureWebJobsStorage(store function host locks in container), has no influence on function deployment.

While for Consumption plan, function files are stored on the Storage Account specified by WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. When we publish from VS or create functions on portal, function files are deployed from function site to Storage Account. We met the error as we don't add function app IPs to Storage firewall white list.

As for why we have to create the Storage in a region different from Function app's, based on my tests, function seems not leverage the outbound IPs when they two locate at the same region. See some one on GitHub got the same result.