Add Azure Functions as a trusted Microsoft service in Azure Storage firewall settings
When we enable firewall in Azure Storage then Azure Function can no longer communicate to that Storage Account even if you add the Functions Outbound IP Address in the firewall settings of Azure Storage.
It would be nice if Azure Functions is added as a trusted Microsoft Service in Azure Storage firewall settings.
Please do this! It would mean not having to manage a list of approved IPs, which is the only option for Consumption plan users that have Storage Account files behind a firewall.
David Hügel commented
Any updates on this?
Didier Caron commented
here is how i got it to work:
in addition to what Chris Brooks says i did the following:
1. configure the services (storage account, keyvault etc) to use a private endpoint on the same vnet
2. setup the private dns zones to the vnet
3 set the following config settings in the function app:
"WEBSITE_VNET_ROUTE_ALL" = "1"
"WEBSITE_DNS_SERVER" = "220.127.116.11"
alternatively you could use service endpoints but then you need to allow the functionapp subnet access to the services in the firewall settings.
Salem Artin commented
I believe your Azure Function is in the same region where the secure Azure Storage account is.
If you move your Function App to a different region then this will work (I verified it today)
The second URL is for Logic App, but Microsoft clearly explains their "Technical limitations"
"Logic apps can't directly access storage accounts that are behind firewalls if they're both in the same region. As a workaround, you can have your logic apps and storage account in different regions"
"You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. However, this setup creates a challenge for Azure and other Microsoft services that need access to the storage account. Local communication in the datacenter abstracts the internal IP addresses, so you can't set up firewall rules with IP restrictions."
Hi, is there any update consideration on this request? using premium plan just for this feature is too expensive.
Jonathan Cardy commented
@Chris Brooks - that solution only works with an (expensive) Premium plan - not a consumption plan.
Chris Brooks commented
You can run your function from within a virtual network, and then allow that virtual network access to the storage account.
See here for more information:
Matt Ruma commented
I think I am running into the same issue with Azure Key Vault.
Hi, has there been any consideration from Microsoft on this request?