Azure / Azure-Functions

1.12k stars 198 forks source link

Cannot publish a function from Visual Studio if backing storage account restricts access through firewall #2536

Open ADH-LukeBollam opened 2 months ago

ADH-LukeBollam commented 2 months ago

I have a premium function with a backing storage account. The function is on a subnet of a virtual network, and the backing storge is connected to the same subnet via a Service Endpoint. I have also added my own IP address to the function whitelist so that I can publish.

If the backing storage account is locked down behind a VPN, a number of issues start happening: You get this error in the Overview: image

With these details: image

You also cannot publish from Visual Studio anymore: "Error : The attempt to publish the ZIP file through ****/api/zipdeploy failed with HTTP status code InternalServerError."

You also cannot swap, with another Internal Server Error.

Adding my own IP to the backing storage whitelist did not resolve this. The only way I could successfully publish was to enable access from all networks on the backing storage.

bhagyshricompany commented 2 months ago

Hi @ADH-LukeBollam Thanks for reporting Don't use direct option .you can refer other option for publish https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network

ADH-LukeBollam commented 2 months ago

The alternatives add complexity that I would prefer to avoid right now, will there be a fix for the issue? It's not great to have to expose the storage to the internet to simply publish an app.

bhagyshricompany commented 2 months ago

There is some rule for storage account please ref before use it.https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

ADH-LukeBollam commented 2 months ago

What specifically are you referring to in there? The only thing I saw was vnetContentShareEnabled, but that sounds like its for a different use case (multiple function apps in one vnet).

ADH-LukeBollam commented 1 month ago

hi @bhagyshricompany ,

I've followed the instructions for connecting an azure function to a secured storage: https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network I've set vnetContentShareEnabled=true in my apps configuration and enabled 'outbound internet traffic' and 'content storage' settings in the vnet integration, but I still cannot publish without removing the firewall entirely from the storage account.

Can you please tell me specifically which part you wanted me to look at so I can publish without having to expose the storage?

bhagyshricompany commented 2 weeks ago

@kshyju please comment and validate.