We're currently trying to create a solution which handles sensitive data in Azure using Function Apps (v2) compiled in C#. Since an app service environment would be expensive overkill for the solution that we need, we have tried to secure communication between our Function and a general purpose blob storage (v1) queue and table firstly using vnet integration and then IP restrictions. Unfortunately trying to IP restrict access to the blob storage from the function doesn't work - it always seems to fail with 'Forbidden' when we try and connect, even with the full list of the function's external IPs added to the blob storage's allowed IPs list. And the blob storage won't allow the function's internal IP (LOCAL_ADDR in Kudu) to be added to the 'allowed IPs' list since it's an internal IP, and even adding the entire Azure region's IP addresses to the blob storage still doesn't seem to allow the function to connect. The only thing which works is to turn off IP restrictions altogether, which puts the whole solution on shaky ground security-wise (e.g. GDPR).
Has anyone managed to find a solution to this issue? Is it actually possible and any ideas where we might have gone wrong if it is?
The closest possible solution I found is to connect your Functions App to a VNET, then connect your storage account to the same VNET, then you can configure restrictions based on that VNET. Storage doesn't support and exception security for Functions specifically, since looking under "Allow azure trusted services" doesn't include the Functions products.
I'd recommend checking the second portion of this document to help configure your Functions app to a VNET, then this one to configure your storage account with the same vnet, then add restrictions on the Storage Firewall.