Azure function: Detected host offline in your function app

Question

We have an Azure Function that is integrated with VNET. Function uses Key Vault to read configuration values from. MSI has been enabled on function and access policy is added in the KV to allow function to access it. Traffic to Key Vault is restricted to be allowed from the said VNET. We have received this error in the diagnostics yesterday, which has affected our execution flow. The App was offline for a few minutes resulting in failures. This is what the diagnostic report says:

Detected host offline in your function app.
Description 
A host error has occurred during startup operation 'd732fccb-40ae-40a1-8d14-ea3cdba0e725'.
Last offline at 
5/4/2021 10:32:13 AM
Details 

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException : Client address is not authorized and caller is not a trusted service.
Client address: x.x.x.x

The function started working properly after being down for about 4 minutes. This could be an issue with VNET integration. Has anyone encountered this? Is there any way to prevent this?

Answer 1

In this case, you could add the application settings WEBSITE_VNET_ROUTE_ALL = 1 of your azure function, this will force all outbound traffic from your azure function into that VNet.

When you route all of your outbound traffic into your VNet, it's subject to the NSGs and UDRs that are applied to your integration subnet. When WEBSITE_VNET_ROUTE_ALL is set to 1, outbound traffic is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.

Reference from https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options#regional-virtual-network-integration