Cannot select Azure function app in Resource instances when limiting access to storage account

Question

I have an Azure storage account and I am trying to limit access to it such that only an Azure function app is able to access its blob storage.

In the Azure portal, Navigate to Storage account. Then navigate to:

Networking --> Firewalls and virtual networks --> Public network access

select: Enabled from selected virtual networks and IP addresses

Then, in "Resource instances", it says:

Specify resource instances that will have access to your storage account based on their system-assigned managed identity.

In the dropdown menu of "Resource type", I cannot see anything that corresponds to Azure function app:

I am looking for "Microsoft.Web/sites" since this is the resource type of a function app

Am I not supposed to do it for function app this way?

Answer 1

As mentioned in the MSDOC, when we choose Enabled from selected virtual networks and IP addresses in Storage Account=>Networking, we can only see few services because the access will be granted to only Trusted services which do not run any custom code, triggers or scripts.

We cannot see any function app related service in the ResourceInstances=>Resource Types, because Function App is not directly related to Azure Storage but for storing the function app's data like logs and triggers.

As @Ikhtesam Afrin mentioned, to connect the function app to the storage account which has restricted access to an endpoint:

• Integrate Function App with VNET.

Note: Function App must be in Functions Premium or App Service Plan to integrate with VNET.

• Go to Storage Account=>Networking=>Add your existing VNET subnets which is integrated with Function App.

• Add the Client IP in Firewall.
• Now storage account will be accessed in your function app.

References:

Why is Virtual Network Integration required for a Function App to communicate with storage that has “Select networks” enabled? – Mr. Brooks