Function App Deployment Failed - The remote server returned an error: (403) Forbidden

Question

Deploying to an existing storage account on a subnet with service endpoints for Microsoft.EventHub, Microsoft.KeyVault, Microsoft.Storage and Microsoft.Web.

Storage account is on a selected vnet:

Answer 1

I set 'WEBSITE_CONTENTOVERVNET' to 1 in my app settings and that worked for me to deploying a logic app.

https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#website_contentovervnet

After fixing 403 error, I got 503 Service unavailable when deploying the zip file to the logic app.

The reason why the zip deployment failed is the fileshare in the storage account was not created when the logic app was deployed.

For a temporary fix, just create a file share before deploying the logic app. A MS support ticket is created and hopefully they will fix it soon!

Answer 2

It looks like you want to restrict access to your storage account from your function app in a virtual network. If so, you need to enable the storage account endpoint in a subnet and enable your function app to integrate with that subnet. Your function app should host on an app service plan which supports virtual network. For more details, you could see the Integrate your app with an Azure Virtual Network.

Moreover, you could refer to this ARM template to finish most of the work. In this case, you will deploy a regional-vnet-integration and a storage account in the same region as the app service.

If you just enable the storage account service endpoint to this subnet but do not want to integrate your function app with this subnet, you need to allow possible outbound IPs of your function app in the firewall of the storage account. Also, the function app and storage account should be in a different region in this scenario.

Feel free to let me know if you have any question.