yonzhan
commented
1 year ago route to CXP team
Open HenryLGatesFoundation opened 1 year ago
yonzhan
commented
1 year ago route to CXP team
navba-MSFT
commented
1 year ago @HenryLGatesFoundation Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.
navba-MSFT
commented
1 year ago @HenryLGatesFoundation Could you please try the below command ?
az resource update -g myRG -n myFA --resource-type Microsoft.Web/sites --set properties.publicNetworkAccess=Enabled
Awaiting your reply.
HenryLGatesFoundation
commented
1 year ago Yes, the use of the generic "resource" does work.
navba-MSFT
commented
1 year ago @HenryLGatesFoundation Thanks for getting back. Does the above command suffice your requirement or do you still need the CLI command?
HenryLGatesFoundation
commented
1 year ago I believe everyone who might run across this post would/should be able to use it. But if you, or the team, could be so kind as to place it in a more intuitive "or correct" namespace for customers, that would be very much appreciated. Is that possible?
navba-MSFT
commented
1 year ago @HenryLGatesFoundation Thanks for your reply. For the users who want to achieve this requirement without running the az resource command, they can follow the below steps:
The publicNetworkAccess is exposed as a property in this REST API. So you can run the command like below:
First you need to fetch the existing configurations by running the config show command:
az functionapp config show --name myFA --resource-group myRG --output json > config.json
Then edit the config.jsonfile and update the "publicNetworkAccess" to "Enabled". Then save the file and run the below config set command:
az functionapp config set --name myFA --resource-group myRG --generic-configurations "@.\tempfunc.json"
Hope this clarifies.
ghost
commented
1 year ago Hi @HenryLGatesFoundation. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
HenryLGatesFoundation
commented
1 year ago /unresolve
I understand that you're suggesting we perform a "show", obtain the definition of the function app, make a small modification and essentially perform a PUT when all we really need is to use/set a single flag.
Note: This request is the same as a previously-fulfilled request for a --public-network-access flag found here: https://github.com/Azure/azure-cli/issues/23025.
Can an implementation which is consistent with the aforementioned be implemented in this subsequent case and simply supply the community with the "--public-network-access" flag needed, so that a standard implementation scheme exists (or begins to take shape) across Azure CLI command/namespaces?
In addition to the eventhubs namespace, even the acr namespace has the following (although "--public-network-access" seems more expressive, even more correct):
az acr update --name myContainerRegistry --public-network-enabled false
ghost
commented
1 year ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Stefanus Hinardi, @Francisco-Gamino.
| Author: | HenryLGatesFoundation |
|---|---|
| Assignees: | navba-MSFT |
| Labels: | `Web Apps`, `Service Attention`, `Functions`, `customer-reported`, `needs-team-attention`, `feature-request`, `Auto-Assign` |
| Milestone: | - |
navba-MSFT
commented
1 year ago @HenryLGatesFoundation Thanks for clarifying your requirement. I am adding the service team to look into your ask.
@Stefanus Hinardi, @Francisco-Gamino Could you please look into this request once you get a chance ?
Francisco-Gamino
commented
1 year ago Adding Functions Az CLI team @amamounelsayed @apawast @kaibocai -- Could you please help with the inquiry above? Thank you.
danielfears
commented
1 year ago Also interested in this being added - noticed users of the platform are able to create an App Service (web app) but despite setting an Access Restriction in Networking settings, the resource JSON still reports that the flag for publicNetworkAccess is still set to 'null' and therefore fails the validation for the built-in security Azure Policy of 'App Service apps should disable public network access', due to this not evaluating to true:
{
"field": "Microsoft.Web/sites/publicNetworkAccess",
"notEquals": "Disabled"
}There's little support for doing this via PowerShell too from what I've seen, and no support for changing this flag in the portal, and is causing many people issues with editing their in-situ web apps.
curious-toast
commented
1 year ago I would also like these flags to be added. Are there any updates on this?
medbenchohra
commented
1 year ago It must be updated in two locations simultaneously using az functionapp update:
az functionapp update --resource-group $rg -n $functionAppName --set publicNetworkAccess=Disabled siteConfig.publicNetworkAccess=Disabled --query "{name:name, publicNetworkAccess:publicNetworkAccess, siteConfig_publicNetworkAccess:siteConfig.publicNetworkAccess}"
r300mrg
commented
4 months ago Any update? Would be very useful to have this option when creating a function app. Thanks
vladiliescu
commented
4 months ago az functionapp update/az resource update don't help when Deny Public Network Access policies prevent creating the function, it's a really bad workaround imo.
There seems to be no way of setting the publicNetworkAccess attribute value (Enabled or Disabled) of the functionapp namespace, neither during creation, nor update (with az functionapp config create|update).
This means that, although we can automate the creation of Function App Inbound Private Endpoints and Function App VNet Integrations, we must go to each Function App and manually disable Public Access to our Function Apps.
Describe the solution you'd like I'd simply like/expect to be able to run any of the following commands:
az functionapp config --name myFA --resource-group myRG --public-network-access enabled
az functionapp config --name myFA --resource-group myRG --public-network-access disabled
OR -
az functionapp config --ids myFAID --resource-group myRG --public-network-access enabled
az functionapp config --ids myFAID --resource-group myRG --public-network-access disabled
Describe alternatives you've considered It doesn't exist under "az webapp config set" either.
Additional context Without this, everyone who wishes to create or manage secure Function Applications must go directly to each resource and toggle this attribute, manually, while the rest of the same page can be updated via the Azure CLI: