Cannot publish a function from Visual Studio if backing storage account restricts access through firewall

[ADH-LukeBollam]

I have a premium function with a backing storage account. The function is on a subnet of a virtual network, and the backing storge is connected to the same subnet via a Service Endpoint. I have also added my own IP address to the function whitelist so that I can publish.

If the backing storage account is locked down behind a VPN, a number of issues start happening: You get this error in the Overview:

With these details:

You also cannot publish from Visual Studio anymore: "Error : The attempt to publish the ZIP file through ****/api/zipdeploy failed with HTTP status code InternalServerError."

You also cannot swap, with another Internal Server Error.

Adding my own IP to the backing storage whitelist did not resolve this. The only way I could successfully publish was to enable access from all networks on the backing storage.

[bhagyshricompany]

Hi @ADH-LukeBollam Thanks for reporting Don't use direct option .you can refer other option for publish https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network

[ADH-LukeBollam]

The alternatives add complexity that I would prefer to avoid right now, will there be a fix for the issue? It's not great to have to expose the storage to the internet to simply publish an app.

[bhagyshricompany]

There is some rule for storage account please ref before use it.https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

[ADH-LukeBollam]

What specifically are you referring to in there? The only thing I saw was vnetContentShareEnabled, but that sounds like its for a different use case (multiple function apps in one vnet).

[ADH-LukeBollam]

hi @bhagyshricompany ,

I've followed the instructions for connecting an azure function to a secured storage: https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to?tabs=templates#restrict-your-storage-account-to-a-virtual-network I've set vnetContentShareEnabled=true in my apps configuration and enabled 'outbound internet traffic' and 'content storage' settings in the vnet integration, but I still cannot publish without removing the firewall entirely from the storage account.

Can you please tell me specifically which part you wanted me to look at so I can publish without having to expose the storage?

[bhagyshricompany]

@kshyju please comment and validate.