Unable to connect to Azure Function App after integrating into VNET
Problem Outline
Azure Function App can not be accessed once it is integrated into a VNET and WEBSITE_VNET_ROUTE_ALL is set to 1.
This is required so that the Function App can securely connect to SQL without making the SQL publicly available.
Errors:
Unable to list Function App keys.
HTTP Request (CURL) from within VM in same network fails: 504 Gateway Timed out
Architectural Diagram
Steps to reproduce
- Create a Resource Group
- Create a VNET with 10.20.11.0/26 address space
- Create a Subnet for the Function App to integrate into with address range of 10.20.11.0/27
- Create a Linux Function App and integrated in the VNET you created in step 2.
- See that App keys still loads as normal.
- Create a Subnet for the database with address range of 10.20.11.32/27
- Create SQL Server and SQL Database.
- Create a Private Link with DNS Zone on the Database and restrict public access.
- Link DNS Zone to VNET created in step 2.
- Function app resolved SQL private link as public IP address.
- In the Function App configuration, add an Application setting WEBSITE_VNET_ROUTE_ALL and set it to 1.
- See that Function app now resolves SQL private link as private IP address
- See that Function App keys are not loading.
- Attempt to connect to Azure Functions though a connection from the network or from public link.
- See that Function app gateway times out.
Through an SSH connection into the Function App and with nslookup we determined that the connection to the private link resolves the local IP address of the SQL database as expected.
Setting the WEBSITE_VNET_ROUTE_ALL flag to 0, nslookup resolves the public IP of the SQL database.
As the SQL database is restricted and only available on the network, it is vital that the WEBSITE_VNET_ROUTE_ALL setting is set to 1.
WEBSITE_VNET_ROUTE_ALL = 1
WEBSITE_VNET_ROUTE_ALL = 0
References
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
This was resolved by adding a "Microsoft.Storage" service endpoint to the Function App subnet.
When all of the traffic is sent into the vnet, it needs a service endpoint to Storage so that it can read the Function App configuration and functions.
- Navigate to your Virtual Network resource
- In the side menu, under Settings, select "Service endpoints"
- Click on "Add"
- Select "Microsoft.Storage" from the Service dropdown
- Add policies if needed (I did not select any policies here)
- Associate the Function App subnet
- Add.
- Query to find position in a string before keyword and extract data before that position
- Correlate these tables dynamically (or automated)
- Manage the order of updates when using a filtered unique index?
- How to use an UPDATE Query with an INNER JOIN to update fields within a table
- Can we use SQL Server STRING_AGG() in queries using GROUP BY ROLLUP ()
- What are row, page and table locks? And when they are acquired?
- Aggregate into custom groups
- Work with multiple where statements with different conditions
- Excel VBA connection to SQL Server with Microsoft Entra MFA authentication
- How can I find sql server port number from windows registry?
- SSIS OLE DB Destination Editor - Create New Table not an option?
- How to Apply Gridify Filtering on an ICollection<T> in EF Core?
- SQL Server Cursor vs WHILE loop
- How do I control parameter sniffing and/or query hints in entity framework?
- Select with like is not returning the correct results
- I am trying to get the start date ONLY from the column below using a SUBSTRING. Can someone tell me what I'm doing wrong?
- using Object_id() function with #tables
- Conditionally filter results of query based on a single flag
- Fill down from a specific row based on criteria
- Spark sending LIMIT to SQL Server on display function
- database restore failing with move
- Join column from a table in SQL Server without write permissions to a data.frame in R using dbplyr
- different deleting OUTPUT behaviour based on source table
- How to simulate a deadlock in SQL Server in a single process?
- Is "SET NOCOUNT OFF" necessary in a stored procedure?
- EF Core takes a lot of time, sometimes, to perform SELECT query
- Dynamic T-SQL - Alter column definition to max length of field
- SQL Server: Update table based on JSON
- Best index(es) to use for an OR Statement in SQL Server
- In a select with a group by, get the last value of a column not in the group by