Azure Premium Functions - Control outbound traffic with Azure Firewall
What I'm trying to achieve
I have a very simple Azure Function app in a Function Premium plan. I would like to control its outbound traffic so only the requests to, let's say www.server.com are allowed.
What I have tried so far
- I followed this instruction for an Azure App Service app: https://docs.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall.
- I enabled the
Microsoft.StorageService Endpoint for the vnet/subnet that is integrated with the function app. - I added the same vnet/subnet to the
Firewalls and virtual networkssettings of the storage account used by this function app.
Issue
When I was trying to add a new HttpTrigger function to this function app, I always got this error: Failed to create HttpTrigger1: Encountered an error (InternalServerError) from host runtime.
Sometimes I was getting this Azure Functions runtime is unreachable error on the Functions page:
Sometimes I was also seeing this error on the Overview page of this function app:
What could I be missing?
Solution 1:
There might be many causes that exists for this kind of errors Azure Functions runtime is unreachable:
- As mentioned in the troubleshooting steps of the above error in Microsoft Documentation, the most common reason for this is that the function app has lost access to its storage account.
One of the workaround I did here:
Created the Azure Function (.Net 3.1 Stack) - Premium Plan in the Azure Portal with Http Trigger with VNet Integration and configured Outbound IP Access.
It is running successfully.
Below are the resources associated with this function app.
As stated in the above documentation to get that kind of runtime unreachable error, I deleted the storage account associated with this Function App.
After that deletion of associated storage account, it has given the same error "Azure Functions Runtime is unreachable"
Recovered the deleted storage account and run the function again:
Make sure your storage account is not deleted which is associated with that function app, otherwise the function won't work.
-
Check the Storage account connection string whether it is deleted or overridden. For example
AzureWebJobsStorageis the local storage emulator connection string variable set inlocal.settings.jsonused in running the function locally. The same variable has a different value in the Azure portal used to run the function in azure. So, make sure that all the properties related to the storage account are available and correct. -
If you set the firewall in the storage account and are not configured to allow traffic to and from functions, please allow it.
-
If your daily usage quota is full, then the function runtime will not work. To resolve this, increase or remove the daily quota limit and restart your function app. Otherwise, the execution of your function app is blocked until the next day.
-
Please check your function app has allowed your IP address in inbound IP restrictions, which might be configured to block internet access.
-
If your function is hosted in Internally load-balanced App Service Environment, please check the internal IP address is allowed because you might be configured to block inbound internet traffic so that the
function runtime is unreachable. -
Make sure you set the correct value of
FUNCTIONS_EXTENSION_VERSIONin Configuration (Application Settings) in the Azure Portal Function App as that is the function runtime version setting and refresh the function app/re-deploy the function. As I created the Function App of.Net Core 3.1Stack so the compatible function runtime version is 3.
System.Private.CoreLib.Access to the path 'C:\home\site\wwwroot\host.json' is denied
I'm able to access host.json, function.json files available in the Kudu console and also in the editor:
- When you connected the Premium Function to VNet Integration, then make sure these two settings were available and the same.
There were few resolutions regarding this kind of error, please refer to this MSFT Q&A Thread and GitHub Thread