Azure Functions storage account network security

5
votes

I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.

With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.

enter image description here

However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work

enter image description here

I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.

The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.

1
azureazure-storageazure-functionsazure-security
Are the Azure function app and Azure storage located in the same region? If not, you could whitelist the outbound IP from function app in your storage firewall.Nancy Xiong
Yes they are in the same region and resource group. I have whitelisted the Outbound IP Addresses but I unable to publish or run the function.Phil Murray

1 Answers

5
votes

As far as I know, you have two options to restrict access to your storage account from your function app or web app.

  1. Whitelist the outboundIpAddresses and possibleOutboundIpAddresses of the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.

when you hit the storage account from your function, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall.

  1. If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for Microsoft.Storage in this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.

Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:

Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.

Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.