0

Context

  • Azure Function accessible from the Internet (think public API).
  • The Function app is hosted in a Elastic Premium plan.
  • Azure-managed PostgreSQL instance (GP plan).

Goal

Make PostgreSQL instance accessible to the Function app only while keeping the Function app accessible from the Internet.

What I've tried

  1. Create a VNet and a service endpoint-enabled subnet.
  2. Add a VNet rule to the PostgreSQL instance securing access from that subnet only.
  3. Integrate the Function app with the VNet.

That should be enough to restrict access to the database but it has a side effect of the Function App not being accessible from the Internet anymore. I believe AppInsights cannot reach the Function App either (getting Unable to open a connection to your app. This may be due to any network security groups or IP restriction rules that you have placed on your app. in the Monitor).

In AWS world, I'd put Lambda and database instance in private subnets and add a NAT Gateway for the Internet access for Lambda. After extensive research I can't figure out how to achieve this with Azure.

If there's an alternative approach please let me know!

Max Ivanov
  • 5,695
  • 38
  • 52
  • Could you please tell me how you integrate VNET? – Jim Xu Nov 09 '20 at 05:36
  • Besides, could you please tell me if the event regions are same? – Jim Xu Nov 09 '20 at 08:19
  • Hi @JimXu I've used the `VNet Integration` option from the `Networking` tab on the Function App page. I already had a VNet and a subnet for the function app created so I associated that with the Function app. All of the Azure components (FA, database, ...) are in the same region. – Max Ivanov Nov 09 '20 at 11:46
  • Is that you refer to https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet to configure VNET for Azure function? – Jim Xu Nov 10 '20 at 01:03
  • @JimXu correct. – Max Ivanov Nov 10 '20 at 17:45

2 Answers2

0

By default, Integrated VNet for your Azure function app can not restrict public access. For the error message that AppInsights cannot reach the Function App, you may add the Azure monitor service tag in the inbound rules of NSG associated with the integrated subnet.

Nancy
  • 26,865
  • 3
  • 18
  • 34
0

The issue was resolved thanks to help from Microsoft support. It appears the problem was not with the link between the Function App and the internet. As Nancy correctly mentioned in her answer, integrating a Function App into a VNet does not restrict public access to the FA.

In my case the problem was a missing link between the Function App and its Storage Account - so the FA couldn't load functions and configuration from storage. Enabling Microsoft.Storage service endpoint on the subnet fixed that. It's weird the official tutorial does not mention that.

With Azure Portal, service endpoint can be added via the VNet page -> Subnets -> your subnet -> Service Endpoints -> Enable Microsoft.Storage.

Max Ivanov
  • 5,695
  • 38
  • 52