0

I'm currently trying to implement the following storage key rotation architecture from microsoft documentation in our tenant but we have a policy that storage accounts shall not have public network access enabled. (https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli).

The architecture is basically, as far as I understand, where an access key for a Storage Account is saved in a Key Vault with an expiration date and when it nearly expires a event grid event filters this event and sends it to the function app, which rotates the key and saves the new key in the key vault again.

But as I mentioned we have a policy that storage accounts should not have public network access enabled. This means the storage account, which stores the logs and triggers for the function app should also not have Enabled from all networks ticked.

Therefore I changed the network setting for the storage account that the function app uses to store logs and triggers from Enabled from all networks to Enabled from selected virtual networks and IP addresses. But when I make this change, the EventGrid fails to deliver the event to the function app.

I have tried to create a vnet, create a private endpoint for the storage account, host the function app in a premium app plan and create a vnet integration in the function app. Further, I have also added Microsoft.EventGrid/systemTopics as Resource instances in the storage account under Networking and the following entries in the function app configuration (according to this link: https://github.com/mcollier/azure-functions-private-storage):

WEBSITE_VNET_ROUTE_ALL to 1
WEBSITE_CONTENTOVERVNET to 1
WEBSITE_DNS_SERVER to 168.63.129.16

But Event Grid still fails to deliver the event to the function app. I suspect that the function app is not available for the EventGrid System Topic. When I go into the Function app this is shown: enter image description here

But I'm not certain where to problem lies, since I don't really understand how EventGrid is communicating with Azure Functions. Can someone help? Does somebody know how I can implement the architecture without public network access enabled on the storage account?

Thanks and best regards!

AzUser1
  • 183
  • 1
  • 14

1 Answers1

0

I got my AZ-104 this week, but I learned there is a difference between the control plane and the data plane. Try applying Storage Blob Data Contributer to the appropriate principle. That will give it permission to write the data inside the storage account.

Acestus
  • 53
  • 1
  • 7
  • Thank you for your reply. But the EventGrid doesn't use a managed identity or app registration. It makes a POST HTTP call to the function app. There is the possibility to use a managed identity to write the deadletters and failure logs into the same storage account with Storage Blob Data Contributor role. The failure logs are successfully written to the storage but eventgrid still displays that it failed to deliver the event to the function... – AzUser1 Jun 18 '22 at 15:28
  • If you are trying to get them to ping each other then my favorite way is network peering. The Azure CLI command is “az vnet peering create” and run the command on both vnets. – Acestus Jun 18 '22 at 22:31
  • I think every ressource is connected to the same vnet. The storage Account has a private endpoint to the vnet and the function has vnet integration enabled. Both should be able to communicate. But as far as I understand now, since EventGrid doesn't support delivering events through private endpoint yet, the delivery has to be through public post http request. Since Vnet integration should only affect outbound traffic of the function app, in theory the function app should still be able to receive the event from eventgrid but in practice it still fails to deliver and I still dont know why... – AzUser1 Jun 20 '22 at 07:00