VNet integrated FunctionApp throws an Error: A connection attempt failed [...] (management.azure.com:443)

Question

I set up a function app (running on S1 ASP, and yes, App Settings include WEBSITE_CONTENTOVERVNET 1) that executes MS Graph API calls which works perfectly fine without vNet configuration/integration. Now after I set up vNet integration for my function app and only allow access to it's storage account via selected networks (the very subnet the function app is integrated to) and I reexecute my function, I get a warning that turns into an error:

WARNING: Unable to acquire token for tenant 'organizations' with error 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (management.azure.com:443)'

ERROR: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (management.azure.com:443) Exception : Type : System.Net.Http.HttpRequestException TargetSite : Name : MoveNext DeclaringType : System.Net.Http.HttpConnectionPool+<ConnectToTcpHostAsync>d__98, System.Net.Http, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03e5f7f21d50a6a MemberType : Method Module : System.Net.Http.dll Message : A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. [...]

I obviously tried googling the error messages but could not find anything that helped me. By the way, I did not encounter this problem in another tenant, where I was able to create my own vNet. This problem occured, when using the vNet provided by my organization. Which has a similar configuration but is slightly different. It is set up to use custom dns servers and a Route table activated under "Outbound networking features" this table holds 3 direct routes with next hop type "Internet".

Thank you for your time in advance!

I tried changing the ASP to elastic premium and added app settings to the function app:

WEBSITE_CONTENTOVERVNET=1
WEBSITE_VNET_ROUTE_ALL=1

I also tried to manually establish a connection to azure in the begin{}-block of my function and the profile.ps1 by adding:

Connect-AzAccount -Identity
Set-AzContext -Subscription SubscriptionID

none of which worked. It seems to be a networking problem

Answer 1

Even the application setting WEBSITE_VNET_ROUTE_ALL is enabled on the Function level, it is unable to read the storage account files/keys/data.

Within the Virtual Network, the traffic is not being routed properly in your case. You need to setup the Private Endpoints within the Storage Account for the Blob, File, Table, Queue, and Web Level along with the DNS Zone to route the traffic appropriately.

You can also integrate Service Endpoints to allow the traffic connectivity within the Virtual Network of Function App and its dependency resources located but choosing the configuration of connectivity is either Private or Service Endpoints depends on your requirements.