Azure Private Endpoints with Service Bus and Function receiver fails with "Ip has been prevented to connect to the endpoint"

Question

I have the following scenario:

• A VNet with two subnets

• An Azure Service Bus namespace connected to one of the subnets using a Private Endpoint. The Service Bus has a Topic and Subscription to be used by an Azure Function.

• An Azure Function using a Service Bus trigger, connected to the other subnet via a Private Endpoint. This is using the RootSharedAccessKey to connect to the ServiceBus and pull messages off the Subscription.

With this set-up the Function fails to pull messages from the subscription. In Azure Monitor for the Function I see repeated exceptions with the message "Ip has been prevented to connect to the endpoint".

(I am able to connect a second HTTP triggered Function to the Service Bus, using VNet Integration on a third subnet, to push messages into the Service Bus - this works fine.)

If I change Networking settings on the Service Bus to enable "All networks" then messages are successfully processed by the Function - so it is not an issue with the Shared Access key. However, clearly I do not wish to open Service Bus up publicly in any way.

I have also tried enabling "Runtime Scale Monitoring" on the "Function runtime settings", based on a recommendation in this article http://thebestcsharpprogrammerintheworld.com/2020/10/22/consumption-vs-runtime-scaling-in-azure-functions. However this did not solve the issue.

Finally I tried whitelisting the function app IP address within the service bus namespace, specifically in Service Bus "Networking" settings I tried:

• Setting "Public access" to "Selected networks"

• Adding the virtual network and subnet of the function app to "Virtual networks"

• Specifying the function app subnet private IP address in the "Firewall" allow list.

On spinning up a VM inside the VNet I have established that the out-of-the-box private DNS for the VNet is working and all the domains resolve to the correct private IP addresses (including the .privatelink. domains).

All services are in the same datacenter.

For completeness, the code I used to consume messages from the service bus subscription was:

public class ConsumerFunction
    {
        [FunctionName("ConsumerFunction")]
        public void Run([ServiceBusTrigger("sometopic", "somesubscription", Connection = "ServiceBusConnectionString")]string contentString,
            ILogger log)
        {
            log.LogInformation("ConsumerFunction: started with content {content}", contentString);
        }
    }    

I have now run out of ideas on what to try next, and useful documentation to guide me. This seems like a relatively vanilla scenario - a basic Service Bus <--> Function integration using Private Endpoints but I've been unable to make it work.

Answer 1

For those here with a similar issue, I have worked through this with Microsoft support and this was solved as follows:

Firstly, a Private Endpoint is for incoming requests. In the case of a Function App receiving messages from Service Bus, this is an outgoing request from the Function. This requires VNet integration, not a Private Endpoint.

Secondly, the POC solution already has VNet integration to a different Function App (the one pushing messages to Service Bus). In this scenario, if the Function Apps are on the same Plan, they must integrate via the same subnet. See https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration#how-regional-virtual-network-integration-works, in particular "All the apps in the same App Service plan can only use the same virtual network integration to a specific subnet"

So the solution is to replace the Private Endpoint with VNet Integration, and integrate with the same subnet for all Function Apps (in the same plan).