Limiting access to Storage Account from Azure Function Subnet

3
votes

I have an azure function hosted on an (S1) App Service Plan. The Azure Function is integrated to a VNet subnet. This subnet has Microsoft.Storage and Microsoft.Web service endpoints enabled, and also it's delegated to Microsoft.Web/serverFarms

On the other hand, the storage account is configured to accept request only from the same subnet the azure function is part of.

Unfortunately, that doesn't work. When I try to communicate with the storage account from the Azure function, I get the below error

2020-02-18T02:03:03.505 [Error] Faliure Occured
Azure.RequestFailedException : This request is not authorized to perform this operation.
RequestId:0b034a99-701e-002c-09ff-e5bd0a000000
Time:2020-02-18T02:03:03.1177265Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 0b034a99-701e-002c-09ff-e5bd0a000000
x-ms-client-request-id: 0bbe8185-4657-47f3-8566-5bcbd16c4274
x-ms-error-code: AuthorizationFailure
Date: Tue, 18 Feb 2020 02:03:02 GMT
Content-Length: 246
Content-Type: application/xml

   at Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync_CreateResponse(ClientDiagnostics clientDiagnostics,Response response)
   at async Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync(ClientDiagnostics clientDiagnostics,HttpPipeline pipeline,Uri resourceUri,String version,Nullable`1 timeout,String leaseId,String requestId,Boolean async,String operationName,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at async Azure.Storage.Blobs.BlobContainerClient.GetPropertiesInternal(BlobRequestConditions conditions,Boolean async,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Storage.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Blobs.BlobContainerClient.GetProperties(BlobRequestConditions conditions,CancellationToken cancellationToken)
   at SharedLib.Utils.TestStorageAccountAccess() at D:\poc-code\NetworkSecurityPoc\SharedLib\Utils.cs : 13
   at async MessengerFunction.Trigger.Run(HttpRequest req,ILogger log) at D:\poc-code\NetworkSecurityPoc\MessengerFunction\Trigger.cs : 25

But when I disable the vnet restriction on the storage account, everything works.

What could I be doing wrong?

Thank you.

2
azureazure-functionsazure-storagevnet
Do you use Regional virtual network integration or gateway required? Is the Azure function apps running on Windows or Linux?Nancy Xiong
I'm using the Regional virtual network integration (the one that says "preview"). and the function app is running on Windows. Actually my Vnet doesn't have a gateway subnet.AbuShokry
It should no other resource used in the integrated subnet except for azure function. Also, it's recommended to use this template to automatically deploy it.Nancy Xiong
If you uncheck the Microsoft.Web service endpoints enabled in the subnet, Does it work?Nancy Xiong
I've unchecked the Microsoft.Web in my current setup, but it still didn't work. I've also deployed the referenced template as is, and also didn't workAbuShokry

2 Answers

0
votes

The below documentation might help why this is happening: From MS documentation: When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can't currently use any virtual network restrictions on this account. If you configure a virtual network service endpoint on the storage account you're using for your function app, that configuration will break your app. Reference: enter link description here

0
votes

I would say it's networking problem as per here Function networking So set WEBSITE_VNET_ROUTE_ALL to 1 then it should work..