Azure function returns 403 when triggered by Azure DataFactory

0
votes

I have problem with triggering Azure function which returns 403 (HTTP trigger).

Trigger is initiated using Azure Data Factory.

It is important to mention that function is exposed through Azure APIM (API management) - function internally has restriction set in a way that only APIM IP is allowed to trigger the function.

Funny thing is that if I send ‘manual’ trigger (postman, HTTP call through APIM from my local machine) everything works as expected - I’m able to trigger the function.

If the same request is sent via Azure DataFactory 403 is returned. Like the request never leaves Azure and IP that hits the function is not the APIM IP. Is this possible and if yes, how to solve this?

Function, APIM and DataFactory are in the same Azure subscription.

FYI - 403 is coming from the function itself, not the APIM. If I remove access restriction from the function, everything works as expected.

Also, to make sure that the request goes through APIM, for one of the tests I put wrong APIM subscription key and this time when ADF triggered the function I got 403, but from APIM which means that requests goes for sure through gateway.

1
azureazure-functionsazure-data-factoryhttp-status-code-403azure-api-management
Is some kind of authentication turned on in Function App? - singhh-msft
Can you share what kind of access restriction you set on Function App? Is there any vnet configured? - Chun Liu
@HarshitaSingh-MSFT No, authentication is turned off. - rjovic
@ChunLiu FunctionApp have access restriction set the only allow APIM IP (Azure API managemet) and second rule with lower priority is deny all. Access restriction is same as in Hury Shen proposed answer. Yes, Function is inside the VNET, DataFactory is not. - rjovic
If your APIM and Function App are in the same vnet, can you try to change the access restriction to the vnet and subnet of APIM? You will have to enable the service endpoint (Microsoft.Web) on the APIM subnet too. - Chun Liu

1 Answers

0
votes

Is this possible and if yes, how to solve this?

I don't think it's possible, I test it in my side and it works fine(both in postman and in Data Factory). I provide my configuration for your reference.

1. I create a APIM and we can see its IP address. Then add my function into APIM.

enter image description here

2. In my function, I configure "Access Restrictions" as below: enter image description here

3. Then request the url through APIM in postman, success. enter image description here

Request the url through APIM in Data Factory, also success.

enter image description here

4. So please check if there is anything different with my configuration(For example, use the function url like https://funappname.azurewebsites.net/api/HttpTrigger1?clientId=apim-huryAPIM but not url from APIM in your Data Factory request). And my function, APIM, Data Factory are in same region(East Asia).