Azure Sql private link blocks access to storage account

0
votes

I'm trying to configure app service to connecto to Azure Sql using private endpoint as described here (but from portal): https://blog.arinco.com.au/2020/08/connect-an-azure-app-service-to-azure-sql-using-azure-private-link/

But once I did it one of my Azure Functions connected to same vnet no longer can access Storage Account. We confirmed it multiple times by removing/adding private endpoint configurations.

I'm using Timer triggered function:

The listener for function 'MyFunction' was unable to start.
innermostMessage: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

enter image description here

How can this block my access to Storage account? Maybe once I use private link for one of Paas offerings I need to use it for all?

2
azure-functionsazure-sql-databaseazure-storage-accountazure-private-link

2 Answers

0
votes

I assume by default you can access the public endpoint of the function linked storage account(select Allow access from all network), then you integrate the app into a VNet and have WEBSITE_VNET_ROUTE_ALL set to 1 which will tell the App Service or your Azure function to route all traffic via the VNET. By default, an app service routes only RFC1918 traffic to the VNET. This restricts the outbound traffic from a VNet.

In this case, you could try to add the app integrated subnet into the networking of the linked storage account.

enter image description here

0
votes

Couple of things to check,

  • Can you check via Kudu console, if the environment variable WEBSITE_PRIVATE_IP is present? If this is missing, this implies the Regional VNet Integration setup on that VM has failed. See my response here

  • Is the Web App connecting to storage via Private Endpoint or Service Endpoint?

  • Using Kudu console, run the below command to see what IP the hostname is resolving to.

    nameresolver hostname dnsServerIpAddress

    Here, the dnsServerIpAddress is optional. If not provided, then it will pick up the DNS app setting or the VNet's DNS Servers.

  • does a tcpping to storage endpoint on port 443 work? try running the below command

    tcpping storageaccount.blob.core.windows.net

You would also check the same for SQL.

If it is a Private Endpoint enabled destination, then ensure that the nameresolver resolves the hostname to a IP address of the private endpoint. If it is resolving to a public IP Address, then there is an issue with the private endpoint setup of the destination resource.

To isolate further try removing private endpoints and connect via Service Endpoints.

If nothing helps, please log a ticket with Azure Support so that they can investigate this further.