Search code examples
azureazure-functionsazure-storageazure-blob-storage

Azure function can not access Azure Blob

I am trying to access the storage account from the Azure function. But I get a 403 error when trying to retrieve the file. I don't see any problem with why I am getting this error.

Let me explain the setup.

1- Azure function app resides in east-US 2- Azure blob in South Central 3- Azure blob has the firewall enabled (I have enabled azure service can access) 4- I have also whitelisted the IP of the function app. (properties-virtual IP) 5- Azure function can create a blob client and retrieve all properties successfully. 6- If I enable the Azure Storage firewall public access, the function can download the stream.

any idea what could be the reason?

Solution

  • See if you have given it some time to work. It may take up to 12-13 hours for the storage account to whitelist a virtual network.

    Else Function app might have problem to reach out services due to reasons below.

    1. Your function app is hosted in an internally load balanced App Service Environment and it's configured to block inbound internet traffic.
    2. Your function app has inbound IP restrictions that are configured to block internet access. Refer app behind firewall

    Otherwise

    • Code may have worked locally as you may have added your local IP into White List while this step was omitted for Function.
    • Check if any outbound Ip missed out to add in whitelist Ips. On portal, go to Resource Explorer >under Platform features. Search outboundIpAddresses and add those(usually four) IPs into Storage Account White List.
    • The issue may even be because of a firewall being set on the storage. Disable it and it should work.

    Other Work arounds

    1. To enable firewall on storage account, one may have to use vnet integration on storage account and App Service.See virtual network integration. But it may work through selection of consumption plan for different regions and App service plan for same regions.
    2. Also check for DNS configuration as existing Azure services are configured to use an existing DNS to connect to the public endpoint. You must override the DNS configuration to connect to the private endpoint. check private-endpoint.
    3. You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. grant-access-to-trusted-azure-service. Check if any of the above is the issue in your case.