Azure Function v1 access forbidden to Storage Queue within the Cloud

1
votes

I have an Azure Function v1, SDK 1.0.24 trying to access my Storage Queue, which works fine locally and I can see the messages stored properly. But as soon as I publish it to the cloud it fails with a 403 forbidden and I have run out of clues.

I checked the connection string several times, I checked the timestamps in request and response which are totally fine. I tried to update several NuGet packages, but in the end why should work locally but not online when they are broken? I am not using Application Insights. In the Host Log I found this error:

2019-01-16T12:38:32.460 [Verbose] Host '44bf8a95b6652eed85464155b2b48df2' failed to acquire host lock lease: Microsoft.WindowsAzure.Storage: The remote server returned an error: (403) Forbidden.

I am suspecting there is a security-related setting within Azure that prevents the access (but I don't have any control about the security features, and the admin has also no idea what the blocking issue could be).

The issue is happening with a QueueTrigger, so I made a small function with alternative access to reproduce the issue:

public static class TestStorageQueue
    {
        [FunctionName("TestStorageQueue")]
        public static async Task<HttpResponseMessage> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequestMessage req, 
            TraceWriter log)
        {
            log.Info("START");

            try
            {
                var response = new HttpResponseMessage(HttpStatusCode.OK);

                log.Info(ConfigurationManager.ConnectionStrings["soastorage"]?.ConnectionString);
                CloudStorageAccount storeAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["soastorage"]?.ConnectionString);
                CloudQueueClient queueClient = storeAccount.CreateCloudQueueClient();
                CloudQueue queue = queueClient.GetQueueReference("myqueue");


                log.Info("trying to get message from queue");
                var cloudMessage = queue.GetMessage(); // 403 happens here
                log.Info("received message item");

                var message = cloudMessage?.AsBytes;
                var length = message?.Length ?? 0;

                response.Content = new StringContent("received message length: " + length.ToString());

                return response;
            }
            catch(Exception ex)
            {
                var response = new HttpResponseMessage(HttpStatusCode.InternalServerError);
                response.Content = new StringContent(ex.Message);

                return response;
            }
        }
    }

Update It's funny, searched for an answer for 2 days and as soon as I posted it, we found the reason. The issue is the Azure Storage Firewall, even with whitelisting all MS Services it keeps blocking them. So the temporary solution was to switch it off, which is not really the solution, so question still pending

1
c#.netazureazure-functionsazure-storage-queues
It doesn't work for me with a v2 function in the exact same situation, with the same issue. This is embarrassing.blas3nik

1 Answers

1
votes

Try to configure Storage Firewall with Function app outbound IPs, to conclude:

  1. On Function panel in Azure portal, Platform features> Resource Explorer.

  2. Find outboundIpAddresses and add all of them to Firewall IP list.

  3. If our functions are on dedicated App service plan(like Basic, Standard and so on), add possibleOutboundIPAddresses if we want to scale the plan to other pricing tiers.

  4. If our functions are on Consumption plan, we may have to whitelist the function apps' data center.