Section: Restrict your storage account to a virtual network

[vforteli]

Section: Restrict your storage account to a virtual network

This section only describes how to replace the storage account after the function has been created. It seems completely doable to create a function with a firewall secured storage account straight away with ARM-templates and therefore never having to do the replacement. In most cases this is probably desirable since it simplifies the deployment significantly.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: bc0b34e2-0eb8-fe89-300c-67e6c212ed31
• Version Independent ID: 5d01d8ce-f835-c88c-801c-1d569f24fd9f
• Content: Azure Functions networking options
• Content Source: articles/azure-functions/functions-networking-options.md
• Service: azure-functions
• GitHub Login: @cachai2
• Microsoft Alias: cachai

[blueelvis]

+1 . We need guidance on how to do it the first time correctly via ARM templates. The copying and all is not feasible when you have to deploy multiple functions across environments.

[SamaraSoucy-MSFT]

Thanks for the feedback! I have assigned the issue to the doc author to update appropriately.

[vforteli]

+1 . We need guidance on how to do it the first time correctly via ARM templates. The copying and all is not feasible when you have to deploy multiple functions across environments.

https://github.com/vforteli/funcstoragevnet/blob/main/funcvnettest.json

This is what I used to test this. The only gotcha was that the file share also in this case has to be created explicitly. It is mentioned in the documentation, but I assumed it was only relevant when replacing an existing storage account. Turns out this step is also needed when deploying straight to the secured storage account. Without the file share explicitly created the function will just fail to start completely and the runtime will be unreachable.

[blueelvis]

@vforteli - Thanks a lot mate! I tried this out by creating the file share explicitly and it worked. Just confused as to why the runtime won't do it itself because everything is in place and from the looks of it, it only has an issue creating the file share, it can create the queues, blob containers and tables but just not the file share.

One other question I have is how would you do this for Function apps with slots?

[vforteli]

@blueelvis slots i havent tested since there seems to be quite a lot of confusion regarding website_contentshare and slots even without firewall rules: https://github.com/MicrosoftDocs/azure-docs/issues/36458

[blueelvis]

@vforteli - Yeah, that is a pain. Even private endpoints cannot be used with slots. But since we are using Durable functions, I think we are fine getting by without deployment slots. Plus, there is another issue where you have issues with Durable functions along with slots. https://github.com/Azure/azure-functions-durable-extension/issues/1057

[blueelvis]

Also, 1 more thing, for some reason, the first time it didn't populate the File Share but after doing a second deployment, it populated the file share and the runtime started.

[vforteli]

It works the first time after you ping it, but takes a while to wake up. I think this is just the result of me out of habit setting the appsettings in a separate resource to avoid circular dependencies. I suppose if you put them directly in siteconfig/appsettings it will start immediately.... maybe Tested putting the appsettings directly in siteconfig/appsettings, didnt make any difference in startup speed, but it would still start up eventually with one deployment.

[phatcher]

I have also had this; it one case it leapt into live after manually creating the file share, in the other it stubbornly remained down - this was via a terraform rather than ARM but to me this looks like a flaw in the startup logic, as it is the only way I have to make this work reliably is to deploy the app (an associated slot) without security/vnet and then apply the security settings as a second step.

@blueelvis We did managed to get slots working with durable functions, but you need to use two storage accounts; one for management and the other for the task hub, especially if you need fault-tolerance - let me know if you want more details.

[vforteli]

So far this has worked all the time for me. I did forget to the azurewebjobsconnectionstring at one point, and this is still required. I did run into one old resourcegroup where contentovervnet wasnt supported at all. This is however mentioned in the documentation that not all stamps support this feature. For me it has worked on all new ones though.

[ggailey777]

@cachai2 do you know if we have any ARM templates for the fully-isolated VPN scenario? If not, maybe we should have one in Quickstart templates.