0

I have a function app (with python runtime and consumption plan) that once a month must load some data from a public source, process them and put them to an azure blob storage, that instead must remain private.

This flow works when I tested it leaving the blob storage open to public.

Then I added some ip addresses to the firewall of the blob storage: in particular, my own private ip and all the list of outbound ips available in the "networking" section of the function app. In this case the function cannot communicate with the blob storage and the required files are not written there.

I know there is the possibility to use a premium plan to enable the virtual network integration (that I think it should work smoothly), but I would prefer to not have additional extra costs.

Also, I can use a private endpoint connection, but again this entails to have a premium plan for the app and an higher cost.

Why the function cannot communicate with the storage even if I added all its available outbound ips? Are there any additional ip that is required to be added? I also read this doc, but I cannot find the required information in the JSON file as explained.

Can someone help on this? Many thanks!

mattiatantardini
  • 525
  • 1
  • 5
  • 23

1 Answers1

1

Without using a premium plan also, you can connect function App to the blob storage account if they are in the same region.

Add the function app's IP address to the storage account. As shown, access the IP address function app in the Networking tab.

enter image description here

Now go to the linked Storage account >> Networking under Security + networkingtab. Click on Enabled from selected virtual networks/IP addresses. Add a virtual network for the selected IP ranges that should be authorized, and under firewall settings, you can add an IP address that should not be authorized.

enter image description here

As you already mentioned about this MSDoc, If your storage and function apps are in different regions, you must allow both outboundIpAddresses and possibleOutboundIpAddresses.

Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range.

Refer Microsoft Q&A for the similar issue.

Refer Storage account grant access MSDoc.

I would recommend upgrading it to the Premium plan is the best approach by using the Private endpoint connection. Because the Azure function app and Storage account are connected directly over the Azure network.

If you use a consumption plan, instances will not scale up if any outbound IP addresses updates occurred. These modifications are relevant in a consumption plan that is dynamically scaling up and down. In that case, it raises "Azure functions unreachable" error.

You can refer this MSDoc for configuring the firewalls in Network.

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • Thank you very much, very exhaustive answer! Only one thing is unclear to me: you stated that we must add the inbound ip address of the function to the firewall settings in the storage. And we did it, but actually this configuration doesn't work. Do we need to also add a virtual network to the storage account and allow that inbound address to connect to the virtual network? – mattiatantardini May 19 '23 at 07:15
  • 1
    @mattiatantardini yes you need to add that one too. – Jahnavi May 19 '23 at 08:20