Azure functions and Azure KeyVault communicating through service endpoint

Question

I have setup and Azure KeyVault with vNET firewalls activated. I also setup an Azure Functions App (Premium, Linux, Python) with vNET integration. I've added the function app's subnet also as service endpoint on key vault. However I am still not able to access the key vault from the azure function.

I get an error message saying that the Azure Functions IP (public IP) cannot access the Key Vault.

Am I missing something? Or is it something that just doesn't work at the moment?

Whitelisting the azure functions IP within Keyvault isn't what I am looking for, since the communication would still go through public endpoint.

Thanks!

What error are you seeing? Have you added an access policy to the keyvault for the Function App? — DreadedFrost
@DreadedFrost Yes I did add the key vault access policy. It is more of a networking problem. I get an error message saying that the Functions IP (public IP) cannot access the Key Vault. Key Vault is accessed via Python SDK using its DNS name — candidson

Nancy Xiong Nancy Xiong · Accepted Answer · 2020-01-03T02:53:35

You could check the followings:

Use the new vNet Integration. You should meet all the limitations for the regional vNet Integration. This feature requires that the app and the VNet must be in the same region. It also requires an unused subnet for VNet integration.
Enable the service endpoint Microsoft.KeyVault for your function subnet.
Make sure you have added the correct function subnet in the firewall of Key Vault.

Sometimes, the deployment order or a long time for vNet configuration is important, you could refer to this working template to complete deployment.

Azure functions and Azure KeyVault communicating through service endpoint

2 Answers