Deploying to an existing storage account on a subnet with service endpoints for Microsoft.EventHub, Microsoft.KeyVault, Microsoft.Storage and Microsoft.Web.
Storage account is on a selected vnet:
Asked
Active
Viewed 7,424 times
0
-
1if your function app is not in the same Vnet with storage, it cannot access storage. Please create a function app and integrate Vnet with it. For more details, please refer to https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet – Aug 14 '19 at 23:41
2 Answers
2
It looks like you want to restrict access to your storage account from your function app in a virtual network. If so, you need to enable the storage account endpoint in a subnet and enable your function app to integrate with that subnet. Your function app should host on an app service plan which supports virtual network. For more details, you could see the Integrate your app with an Azure Virtual Network.
Moreover, you could refer to this ARM template to finish most of the work. In this case, you will deploy a regional-vnet-integration and a storage account in the same region as the app service.
If you just enable the storage account service endpoint to this subnet but do not want to integrate your function app with this subnet, you need to allow possible outbound IPs of your function app in the firewall of the storage account. Also, the function app and storage account should be in a different region in this scenario.
Feel free to let me know if you have any question.
Nancy
- 26,865
- 3
- 18
- 34
-
>> Also, the function app and storage account should be in a different region in this scenario. Are you from Microsoft? If you add the IP restriction then the storage account and app service should be in a different region. Nobody else could guess that Microsoftery. Because you seem to have good knowledge about this issue, may I ask a question related to it. In my case I have a vnet integrated function app and the storage account without any firewall restriction. I'm not able to deploy a function to that function app (503 error after 43 minutes) and the kudu site gives service unavailable. – SijuMathew Mar 29 '21 at 14:27
0
I set 'WEBSITE_CONTENTOVERVNET' to 1 in my app settings and that worked for me to deploying a logic app.
After fixing 403 error, I got 503 Service unavailable when deploying the zip file to the logic app.
The reason why the zip deployment failed is the fileshare in the storage account was not created when the logic app was deployed.
For a temporary fix, just create a file share before deploying the logic app. A MS support ticket is created and hopefully they will fix it soon!
wei
- 4,267
- 2
- 23
- 18