Failed when having private storage account with private endpoint

[hashem-alrifai]

What I have:

• Linux EP1 function with VNet integration.
• Storage account with disabled public access, but a private endpoint.
• Deployment auth method is: RBAC

What I get:

Will archive ./functions/xxxxxx/published into /home/xxxx/actions-runner/_work/_temp/temp_web_package_8648916121209358.zip as function app content Will use https:///api/zipdeploy to deploy since RBAC Azure credential is detected. Package deployment using ZIP Deploy initiated. Error: Failed to deploy web package to App Service. Error: Execution Exception (state: PublishContent) (step: Invocation) Error: When request Azure resource at PublishContent, zipDeploy : Failed to use /home/xxxx/actions-runner/_work/_temp/temp_web_package_8648916121209358.zip as ZipDeploy content Error: Failed to deploy web package to App Service. Service Unavailable (CODE: 503) Error: Error: Failed to deploy web package to App Service. Service Unavailable (CODE: 503) at Kudu. (/home/xxxx/actions-runner/_work/_actions/Azure/functions-action/v1.5.0/lib/appservice-rest/Kudu/azure-app-kudu-service.js:235:41) at Generator.next () at fulfilled (/home/xxxx/actions-runner/_work/_actions/Azure/functions-action/v1.5.0/lib/appservice-rest/Kudu/azure-app-kudu-service.js:5:58) at processTicksAndRejections (node:internal/process/task_queues:96:5) Error: Deployment Failed!

Note: Enabling public access of the storage account will make the deployment succeeded.

What to expect: Deployment should work.

[patelchandni]

@hashem-alrifai , When the storage account has a private endpoint with disabled public access, is it accessible from the function app? I mean how are you granting storage access to your function app?

If the storage account is not accessible from the function app, then zipdeploy will fail as expected.

[hashem-alrifai]

Hi @patelchandni, The storage account is accessible by the function app because the function app has VNet integration enabled, so the storage account and the function app are in the same VNet. And, we use a dedicated build machine that is also connected to the same VNet.

[patelchandni]

@hashem-alrifai Seems the issue is not the action but the access restrictions on the app. The GitHub runner from where this action is running does not have access to your function app or deployment engine because of which we see 503.

Try out the instructions here for GitHub + ARM template deployment used for such scenario: https://github.com/Azure-Samples/function-app-arm-templates/tree/main/zip-deploy-arm-github-workflow

[hashem-alrifai]

Thanks.. I can confirm that the build machine (VM) is part of the VNet, but I will check the method you mentioned (later).