Azure Functions access to Azure Storage Account Firewall
Asked Answered
P

1

5

What am I trying to achieve

Connect to an Azure BLOB storage account that sits behind a firewall through an Azure Function.

Steps Taken so Far

  1. Azure Function developed and tested against public storage account which works as expected.
  2. Following Azure Resource Explorer for my Azure Function I find out the outbound addresses("outboundIpAddresses" entry) and I add them in the firewall of the storage Account.

Issue

While trying to run the Azure Function against the storage account with the firewall I am getting a Status: 500 Internal Server Error - This request is not authorized to perform this operation.

What am I missing here?

Prairial answered 10/5, 2019 at 11:13 Comment(1)
private endpoint from functions to blob storage should work?Dostie
F
9

You won't be able to achieve what you want here currently. When you hit the storage account from your funciton, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall (I have had this confirmed by Azure support). Because you don't have access to the internal IPs of the function, and even if you did they can change, you can't whitelist them.

If your resources were in different regions, traffic would go over the external IPs and you would have more success.

Finitude answered 10/5, 2019 at 20:28 Comment(2)
What if I put AzureFunction in VNET and add VNET access in firewall? Should this work? We have trouble making it workd.Photocopier
@PiotrPerak, yes it works. Don't forget to enable Service Endpoint on your subnet with "Microsoft.Storage"Teeters

© 2022 - 2024 — McMap. All rights reserved.