Search code examples
azureazure-functionsazure-virtual-networkazure-functions-core-tools

Azure Functions Core Tools can't connect to private endpoints

I'm running a blob-triggered function on Azure VM (Ubuntu 18.04) using Azure Function Core Tools.
What I want to do is to get information of blobs WITHOUT using a service endpoint.

In my VNet I have:

  • VM1 which runs a function with Core Tools

  • VM2 which is a DNS server and pokes VM1 with an HTTP request like below;

    • curl -X POST http://{VM1's private IP}:7071/admin/functions/{my blob Function}
      -H "content-type:application/json" -d "{'input':'myContainer/myFolder/myBlob'}"

  • Blob storage with a private endpoint

When I enabled a service endpoint Microsoft.Storage on my subnet, VM1 can run a blob-triggered function, can be poked by VM2, and gets information of blobs (which was fed in curl).

However once I delete a service endpoint, VM1 can't run the function and gets following errors, obviously failed to connect to a storage:

An unhandled exception has occurred. Host is shutting down.
Microsoft.WindowsAzure.Storage: This request is not authorized to perform this operation.
An unhandled exception has occurred. Host is shutting down.
Microsoft.WindowsAzure.Storage: The operation was canceled. System.Private.CoreLib: The operation was canceled.

Name resolution to a private IP of a storage is naturally fine, from both VM1 and VM2, as they are in the same subnet.

Is there any way to solve this, like adding a route to my route table?
Thank you in advance.

Edit #1
Other functions which don't use private endpoints, like HTTP-triggered functions are not affected and are callable.
I guess the Core Tools runtime does not support Private Link, because if I want a function on Azure Functions (not Core Tools on a local machine) to connect to private endpoints, it is required to use a Premium plan or App Service Plan.

Solution

  • In this case, when you enable a service point Microsoft.Storage for the subnet, Azure will add a route to the public IP addresses for Storage services in the route table of this subnet. Azure service endpoint provides a direct connection to Azure’s service over Microsoft’s backbone network infrastructure. Using service endpoints does not remove the public endpoint from Azure Storage accounts – it’s just a redirection of traffic.

    When you enable a private endpoint for the blob storage, the blob resources are accessible only via your virtual network. The blob-triggered function will communicate with designated resources using a resource-specific private IP address. If you have removed the service endpoint of a subnet, there is not a default route to the public IP of the storage resources via a next-hop virtual network service endpoint. The outbound traffic for Azure services by default goes over the Internet. Thus, Other functions that don't use private endpoints, like HTTP-triggered functions are not affected and are callable.

    In conclusion, it does not seem that it's possible for Azure Functions Core Tools on the Azure VM to connect to private endpoints for blob storage WITHOUT using a service endpoint.

    Hope this makes sense, for more information, you could read these blogs:

    1. Azure Service Endpoints - how do they work?
    2. Azure Service Endpoints versus Azure Private Links