Azure functions : Getting 403 error while accessing the storage account

Question

I have been using azure timer based function in my project. Since I started using the function, I was getting error 403 related to access forbidden from Azure storage account.

I tried adding AzureWebJobsStorage Key in function's configuration I tried adding outbound IPs of Allowed ip ranges of azure storage accounts I tried checking the option of allowing azure managed services to the storage account.

However, I'm still getting the error in that particular timer function of my function app. The other functions run properly.

Although, if I allow all the networks in storage account firewall and VN settings, my function runs proper.

Both the function and storage account are in same region.

I want to enable it somehow that I do not need to choose the allow all networks. What can be done?

Answer 1

Actually, the problem is explained here in Microsoft docs.

"When you create a function app, you either create a new storage account or link to an existing storage account. During function app creation, you can secure a new storage account behind a virtual network and integrate the function app with this network. Currently, you can't secure an existing storage account being used by your function app in the same way."

So, when you add your function to the virtual network, you need to create a new storage and add it to the network before connecting it to the function.

Answer 2

In case anyone else is searching for this... I had a similar issue. I had a function app that I had created a private endpoint and regional VNet integration back with the VNet interacting with a Storage Account that also had a private endpoint with the same VNet. The Storage Account's network/firewall settings only allowed connections from the VNet (no external traffic allowed). Both the storage account and function app reside in the same region.

Attempt at fix #1 (not ideal):

I added code to determine what IP the function app was running from. That led me to add all of the IP's in the portal under function app --> Properties --> Additional Outbound IP Addresses. This is exposed by Terraform if using that.

Attempt at fix #2 (better):

The resolution is to ensure you have the proper function app settings set.

See: Microsoft documentation

Setting	Suggested value	Description
WEBSITE_CONTENTOVERVNET	1	Create this app setting. A value of 1 enables your function app to scale when your storage account is restricted to a virtual network.
WEBSITE_DNS_SERVER	168.63.129.16	Create this app setting. When your app integrates with a virtual network, it will use the same DNS server as the virtual network. Your function app needs this setting so it can work with Azure DNS private zones. It's required when you use private endpoints. This setting and WEBSITE_VNET_ROUTE_ALL will send all outbound calls from your app into your virtual network.
WEBSITE_VNET_ROUTE_ALL	1	Create this app setting. When your app integrates with a virtual network, it uses the same DNS server as the virtual network. Your function app needs this setting so it can work with Azure DNS private zones. It's required when you use private endpoints. This setting and WEBSITE_DNS_SERVER will send all outbound calls from your app into your virtual network.

Note: The 168.63.129.16 is a static value for Azure DNS.

After setting all of these, my function app was able to connect to the storage account through the VNet as expected.

Answer 3

There're already some answers about this issue, you can see here and here.

In short, if the function and storage account are in same region, they communicate in an internal way without going through outboundIpAddresses.

The workaround is that create them in different regions.