Limiting access to Storage Account from Azure Function Subnet

3
votes

I have an azure function hosted on an (S1) App Service Plan. The Azure Function is integrated to a VNet subnet. This subnet has Microsoft.Storage and Microsoft.Web service endpoints enabled, and also it's delegated to Microsoft.Web/serverFarms

On the other hand, the storage account is configured to accept request only from the same subnet the azure function is part of.

Unfortunately, that doesn't work. When I try to communicate with the storage account from the Azure function, I get the below error

2020-02-18T02:03:03.505 [Error] Faliure Occured
Azure.RequestFailedException : This request is not authorized to perform this operation.
RequestId:0b034a99-701e-002c-09ff-e5bd0a000000
Time:2020-02-18T02:03:03.1177265Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 0b034a99-701e-002c-09ff-e5bd0a000000
x-ms-client-request-id: 0bbe8185-4657-47f3-8566-5bcbd16c4274
x-ms-error-code: AuthorizationFailure
Date: Tue, 18 Feb 2020 02:03:02 GMT
Content-Length: 246
Content-Type: application/xml

   at Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync_CreateResponse(ClientDiagnostics clientDiagnostics,Response response)
   at async Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync(ClientDiagnostics clientDiagnostics,HttpPipeline pipeline,Uri resourceUri,String version,Nullable`1 timeout,String leaseId,String requestId,Boolean async,String operationName,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at async Azure.Storage.Blobs.BlobContainerClient.GetPropertiesInternal(BlobRequestConditions conditions,Boolean async,CancellationToken cancellationToken)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Storage.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Blobs.BlobContainerClient.GetProperties(BlobRequestConditions conditions,CancellationToken cancellationToken)
   at SharedLib.Utils.TestStorageAccountAccess() at D:\poc-code\NetworkSecurityPoc\SharedLib\Utils.cs : 13
   at async MessengerFunction.Trigger.Run(HttpRequest req,ILogger log) at D:\poc-code\NetworkSecurityPoc\MessengerFunction\Trigger.cs : 25

But when I disable the vnet restriction on the storage account, everything works.

What could I be doing wrong?

Thank you.

2
azureazure-functionsazure-storagevnet
Do you use Regional virtual network integration or gateway required? Is the Azure function apps running on Windows or Linux? - Nancy Xiong
I'm using the Regional virtual network integration (the one that says "preview"). and the function app is running on Windows. Actually my Vnet doesn't have a gateway subnet. - AbuShokry
It should no other resource used in the integrated subnet except for azure function. Also, it's recommended to use this template to automatically deploy it. - Nancy Xiong
If you uncheck the Microsoft.Web service endpoints enabled in the subnet, Does it work? - Nancy Xiong
I've unchecked the Microsoft.Web in my current setup, but it still didn't work. I've also deployed the referenced template as is, and also didn't work - AbuShokry

2 Answers

0
votes

The below documentation might help why this is happening: From MS documentation: When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can't currently use any virtual network restrictions on this account. If you configure a virtual network service endpoint on the storage account you're using for your function app, that configuration will break your app. Reference: enter link description here

0
votes

I would say it's networking problem as per here Function networking So set WEBSITE_VNET_ROUTE_ALL to 1 then it should work..