Reputation: 6554
Azure Functions storage account network security
I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.
With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.
However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work
I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.
The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.
Upvotes: 5
Views: 3700
Answers (1)
Reputation: 28224
As far as I know, you have two options to restrict access to your storage account from your function app or web app.
- Whitelist the
outboundIpAddressesandpossibleOutboundIpAddressesof the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.
when you hit the storage account from your function, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall.
- If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for
Microsoft.Storagein this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.
Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.
Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.
Upvotes: 6
Related Questions
- Managed Identity w/Azure Functions and Storage accounts
- Azure - how to create a persistent secure connection between function app and storage account, consumption plan
- Azure Functions - some public and some protected?
- Azure Premium Functions - Control outbound traffic with Azure Firewall
- Azure Functions access to Azure Storage Account Firewall
- Azure Function - securing access to storage account
- Azure Storage Account: Firewall and virtual networks
- What does the "Storage Account" setting of an Azure Function App do?
- Azure Function Storage Account
- Azure storage and security