Reputation: 1
Function App & Account Storage - Public Internet Access
I am struggling to understand the communication that the FunctionApp requires. Let's say I have a function app written in Python that during the runtime communicates with some public API. Besides that it does not need any internet access.
How I understand is that Function App to run requires communication with Storage Account. Both of those resources have their networking tabs, where we can set the option for "Public network access" to: a) Enabled from all networks b) Enabled from selected virtual networks and IP addresses c) Disabled
In the example setting provided Storage account and Function App do not need to be available from all networks. Is the public internet access needed for communication between them? How does the function app identity that can be turned on influences this workflow?
Upvotes: 0
Views: 884
Answers (1)
Reputation: 8694
If you restrict access to the Function App and Storage Account by changing the Public network access setting to Enabled from selected virtual networks and IP addresses, you can specify which virtual networks and IP addresses are allowed to access your resources.
To establish communication between Function App and Storage Account:
- Integrate the Function App with a VNET/subnet:
Function App should be created with Functions Premium or App Service Plan to integrate with VNET.
- Add VNET Subnet in the
Storage Account=> Networkingand add the ClientIP in the firewall:
- This allows to establish communication between Azure Function App and Storage Account.
Function App identity can be used to authenticate your Function App with Azure Key Vault or Azure Storage to improve the security of your application.
- I have created a Python Azure Function App with Access Restrictions enabled.
- Also allowed Enabled from selected virtual networks and IP addresses storage account.
But I got 403 Forbidden error due to the access restrictions in the function app while accessing public API.
- As per my observation to run the Azure function with public APIs, Enabled from all networks should be allowed in the
Function app=>Networkingin few Scenarios.
I have created a Python Azure function to access a Public API (https://www.weatherapi.com) using below code.
@app.route(route="HttpTrigger", auth_level=func.AuthLevel.ANONYMOUS)
def HttpTrigger(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
location = req.params.get('location')
if not location:
try:
req_body = req.get_json()
except ValueError:
pass
else:
location = req_body.get('location')
if location:
url = f'https://api.weatherapi.com/v1/current.json?key=<API_KEY>2&q={location}'
response = requests.get(url)
data = response.json()
return func.HttpResponse(f"Current temperature in {location} is {data['current']['temp_c']} degrees Celsius.")
else:
return func.HttpResponse(
"Please provide a location parameter in the query string or in the request body",
status_code=400
)
- I had to enable "Enabled from all networks" to run the function.
References:
- Configure Azure Storage firewalls and virtual networks
- Azure Functions Access to Restricted Storage Accounts – Mr. Brooks
Upvotes: 0
Related Questions
- How can I grant access to a storage account locked with a firewall in Azure
- Azure function can't connect to its own storage account over vnet any more
- Accessing Azure Storage Accounts After Disabling the Public Access
- Issue in function app and storage account connectivity
- How can an azure function (consumption plan) access a storage account that has public internet access locked down?
- Standard Logic App fails to connect to storage account
- Cannot select Azure function app in Resource instances when limiting access to storage account
- Azure Function App access to its own storage account with Shared Key Authentication disabled