Connect to Azure function app with private endpoint over VPN point to site
I've created an Azure function app, vnet, virtual network gateway, private endpoint, and private dns zone. My virtual network gateway is in its own subnet, below is relevant terraform from the azurerm_virtual_network_gateway resource
ip_configuration {
name = "aza-vnet"
public_ip_address_id = azurerm_public_ip.vpn_gateway_public_ip.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.vpn_gateway_subnet.id
}
The private endpoint is created in a separate subnet in the same vnet, pointing to the function app. Below is some of the terraform configuration for that resource
private_service_connection {
name = "oai-create-privateserviceconnection"
private_connection_resource_id = azurerm_linux_function_app.oai_create_app.id
subresource_names = ["sites"]
is_manual_connection = false
}
private_dns_zone_group {
name = "oai-create-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.create_func.id]
}
I created the below dns zone
resource "azurerm_private_dns_zone" "create_func" {
name = "privatelink.azurewebsites.net"
resource_group_name = var.rg_name
}
linked it to my vnet
resource "azurerm_private_dns_zone_virtual_network_link" "create_func" {
name = "oai-create-link"
resource_group_name = var.rg_name
private_dns_zone_name = azurerm_private_dns_zone.create_func.name
virtual_network_id = azurerm_virtual_network.vnet.id
}
and added an A record for the private endpoint ip
resource "azurerm_dns_a_record" "create_func" {
name = "func-name.privatelink.azurewebsites.net"
zone_name = azurerm_private_dns_zone.create_func.name
resource_group_name = var.rg_name
ttl = 300
records = [azurerm_private_endpoint.create_func.private_service_connection[0].private_ip_address]
#records = [azurerm_private_endpoint.create_func.ip_configuration[0].private_ip_address]
}
with func-name the name of my function.
I added the below to my vpn config file to try to use Azure DNS 168.63.129.16
<clientconfig i:nil="true">
<dnssuffixes>
<dnssuffix>.azurewebsites.net</dnssuffix>
</dnssuffixes>
<dnsservers>
<dnsserver>168.63.129.16</dnsserver>
</dnsservers>
</clientconfig>
When I connect to my VPN and try to reach my function curl https://func-name.azurewebsites.net/api/create it doesn't resolve
When I use the private ip of the private endpoint curl http://10.0.2.4/api/create I get a 404, which is also unexpected but it is actually reaching the function app. Probably due to this
Here is the output of nslookup which is resolving to a public ip
nslookup func-name.azurewebsites.net
Server: 10.16.80.1
Address: 10.16.80.1#53
Non-authoritative answer:
func-name.azurewebsites.net canonical name = func-name.privatelink.azurewebsites.net.
func-name.privatelink.azurewebsites.net canonical name = hosts.func-name.azurewebsites.net.
Name: hosts.func-name.azurewebsites.net
Address: 13.92.237.218
Does anyone know what I can do to get my function app hostname to resolve to the private endpoint ip address?
Does anyone know what I can do to get my function app hostname to resolve to the private endpoint ip address?
To resolve the function app hostname to the private endpoint IP address, when using Point to Site VPN, you can add a host entry in local machine for the private endpoint to resolve the endpoint's IP address for testing.
Name: func-name.privatelink.azurewebsites.net
Address: 10.0.2.4
To add a host entry on your local PC, navigate to C:\Windows\System32\drivers\etc\hosts and insert your entry into the hosts file.
As a permanent solution, consider implementing a Private DNS Resolver or a custom DNS server to resolve the IP address of the private endpoint when utilizing Point to Site VPN.
Reference: Point to Site VPN name resolution
- How to embed Image inline in Email Body using Microsoft Graph
- How to handle an Azure Function rerunning when using message queue binding?
- Azure function activity starts automatically after clicking on Run or Debug locally
- Create Azure TimerTrigger Durable Function in python
- Azure Function Upgraded to .NET 8 Fails with "Could not load file or assembly 'System.Memory.Data'" Error
- Azure function verbose trace logging to Application Insights
- Replacing connection string to managed Identity for azure blob trigger > Azure function app from VS to azure portal
- How can I make a powershell script work in an Azure function with PowerShell 5 and module AzureADPreview?
- Dotnet-Isolated Azure Functions - how to access HttpContext
- Azure Function using ServiceBus trigger
- Azure function code changed in the portal is still sometimes doing what the old code did
- Azure Functions no longer compile on build server after upgrade from .NET 7 to .NET 8
- Unable to run Azure Functions project locally in Rider after adding plugins
- Adjust python runtime Azure Function app timer trigger for daylight saving time
- Can't get past "Exception binding parameter" when trying to use ServiceBusTrigger
- Azure pipeline doesn't wait for function app to complete
- Azure Function: Did not find functions with language [dotnet-isolated]
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- IPM Functions what is the time unit for the duration field in the logs
- Upgrade from .NET 6 to .NET 8, errored out with "Could not load file or assembly 'Microsoft.Extensions.Options, Version=8.0.0.0"
- Azure Function Configuration values not available in function attributes
- CRMSDK QueryExpression didn't return all the related attributes
- Dependency injection in .NET Azure Functions - Azure Cosmos DB Client
- How can I get the list of actions supported by a resource for use with Invoke-AzResourceAction PowersShell command?
- How to create Azure function App in Python without using Visual Code Studio
- ManagedIdentityCredential authentication failed: No connection could be made because the target machine actively refused it
- Azure pipeline - Failed on Error NU1301 after upgrade Azure Function
- Workflow Validation Failed Error: The function cannot be called from a logic app. It must not have a custom route
- Azure Function - The ConnectionString property has not been initialized
- Azure Function app down due to wrong routing template in http trigger binding of a functions