Unable to connect to Azure Function App after integrating into VNET
Problem Outline
Azure Function App can not be accessed once it is integrated into a VNET and WEBSITE_VNET_ROUTE_ALL is set to 1.
This is required so that the Function App can securely connect to SQL without making the SQL publicly available.
Errors:
Unable to list Function App keys.
HTTP Request (CURL) from within VM in same network fails: 504 Gateway Timed out
Architectural Diagram
Steps to reproduce
- Create a Resource Group
- Create a VNET with 10.20.11.0/26 address space
- Create a Subnet for the Function App to integrate into with address range of 10.20.11.0/27
- Create a Linux Function App and integrated in the VNET you created in step 2.
- See that App keys still loads as normal.
- Create a Subnet for the database with address range of 10.20.11.32/27
- Create SQL Server and SQL Database.
- Create a Private Link with DNS Zone on the Database and restrict public access.
- Link DNS Zone to VNET created in step 2.
- Function app resolved SQL private link as public IP address.
- In the Function App configuration, add an Application setting WEBSITE_VNET_ROUTE_ALL and set it to 1.
- See that Function app now resolves SQL private link as private IP address
- See that Function App keys are not loading.
- Attempt to connect to Azure Functions though a connection from the network or from public link.
- See that Function app gateway times out.
Through an SSH connection into the Function App and with nslookup we determined that the connection to the private link resolves the local IP address of the SQL database as expected.
Setting the WEBSITE_VNET_ROUTE_ALL flag to 0, nslookup resolves the public IP of the SQL database.
As the SQL database is restricted and only available on the network, it is vital that the WEBSITE_VNET_ROUTE_ALL setting is set to 1.
WEBSITE_VNET_ROUTE_ALL = 1
WEBSITE_VNET_ROUTE_ALL = 0
References
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
This was resolved by adding a "Microsoft.Storage" service endpoint to the Function App subnet.
When all of the traffic is sent into the vnet, it needs a service endpoint to Storage so that it can read the Function App configuration and functions.
- Navigate to your Virtual Network resource
- In the side menu, under Settings, select "Service endpoints"
- Click on "Add"
- Select "Microsoft.Storage" from the Service dropdown
- Add policies if needed (I did not select any policies here)
- Associate the Function App subnet
- Add.
- SSRS 2014 date range parameters not working with an OR clause
- Calculate duration using T-SQL
- Conversion failed when converting the nvarchar value to data type int while inserting records into table
- How can I run just the statement my cursor is on in SQL Server Management Studio?
- SQL rollup to add a total row for multiple columns
- Select SQL Server database size
- INSERT INTO a temp table, and have an IDENTITY field created, without first declaring the temp table?
- Create single image for database diagram in SQL Server
- Automatically define the DataTable in C# from the schema of SQL server tables?
- TSQL: how to write this query?
- CREATE TABLE permission denied in database 'tempdb'
- The SELECT permission was denied on the object 'Users', database 'XXX', schema 'dbo'
- Does database compound index order matter if the first column is only queried with an equal operation?
- Difference between .NET, OLEDB, and Native Providers in SSIS
- Is there a way to populate a HTML table from a database? (SQL Server, VB.NET, ASP.NET)
- ExecuteScalar() not returning full contents of cell
- Why does normal execution resume after Raiserror in Catch block
- PRINT output doesn't appear immediately in the Messages pane in SSMS
- Comma delimiter is not being respected
- A connection was successfully established with the server, but then an error occurred during the pre-login handshake
- Select all unique values in SQL table with additional information
- How to avoid the "divide by zero" error in SQL?
- How do I get list of all tables in a database using TSQL?
- Basic SQL commands in Terraform
- Could there be a deadlock when using optimistic locking?
- Get list of tables but not include system tables (SQL Server 2K)?
- How to change keyboard shortcut - F5 to Ctrl + Enter to execute SQL command in SQL Server Management Studio
- Self join to compare rows of table?
- Transform DateTime field to provided format in where clause
- SSMS crashes instantly