0
votes

Deploying to an existing storage account on a subnet with service endpoints for Microsoft.EventHub, Microsoft.KeyVault, Microsoft.Storage and Microsoft.Web.

enter image description here

Storage account is on a selected vnet:

enter image description here

enter image description here

1
if your function app is not in the same Vnet with storage, it cannot access storage. Please create a function app and integrate Vnet with it. For more details, please refer to docs.microsoft.com/en-us/azure/app-service/…user10182254

1 Answers

1
votes

It looks like you want to restrict access to your storage account from your function app in a virtual network. If so, you need to enable the storage account endpoint in a subnet and enable your function app to integrate with that subnet. Your function app should host on an app service plan which supports virtual network. For more details, you could see the Integrate your app with an Azure Virtual Network.

Moreover, you could refer to this ARM template to finish most of the work. In this case, you will deploy a regional-vnet-integration and a storage account in the same region as the app service.

If you just enable the storage account service endpoint to this subnet but do not want to integrate your function app with this subnet, you need to allow possible outbound IPs of your function app in the firewall of the storage account. Also, the function app and storage account should be in a different region in this scenario.

Feel free to let me know if you have any question.