Azure - how to create a persistent secure connection between function app and storage account, consumption plan
I am creating an API which runs off a Function App on Azure. This API communicates with a storage account (a secondary one, not the one created with the function app.) It is imperative that this storage account be as secured as possible.
I am new to Azure, but my initial thought would be to create a Virtual Network, with one subnet for the API which can take requests from any user on the internet, and a second subnet for the storage account that can only communicate with the API. The api would have a private endpoint to the storage account. I want only the API to be able to access that storage account. Or, use a service endpoint to communicate from the subnetted storage account to the API not in the VNET.
However, the Function App consumption plan does not support Virtual Network capabilities. I looked at the pricing model for B1, and that would cost at least 55 dollars a month. This is an api that most likely won't be called that much, and it's not worth the 55 a month yet. Maybe in the future I will go for it, but not now.
I was thinking just allow the function app through the firewall, but apparently the outbound IPs for the function app change sometimes, thus making it difficult to have a permanent connection between the two.
My function app works locally because I allow my home IP through the storage account firewall, and when i say the storage account is open to all IPs the function app works on the cloud, but once I put the firewall back up it stops working. Authentication is done via managed identities if that helps. The only issue I am having is the connectivity between the services, caused by the firewall.
Is it possible to connect these two services securely and persistently without a virtual network? Thanks in advance.
I do agree with @Charles Han that you can use Logic apps for this as an alternative to azure functions and follow below process to secure your connection:
Firstly, I have created a Storage account and created Containers and inserted blobs into it.
And then in Networking section I have selected Public network access Enabled from selected virtual networks and IP addresses Option and then I have saved it.
Then I have created a Logic apps as below and Created a Connection between Logic apps and Storage account as below:
Now to secure Connection, I have copied Connector outgoing IP addresses from Properties section of Logic apps as below:
Now I opened again Networking Section of Storage account and added IP address of Connector outgoing IP addresses as below and saved it.
By doing above process your connection is Secured.
Output:
References:
- WebJob is stopping due to website shutting down
- Is it possible to change the day returned from startofweek() and endofweek()?
- Handling Audio blobs sent through mediarecorder in JS through python server script for azure service
- Export app registrations with expiring secrets and certificates and send alert in teams
- SQL Azure import slow, hangs, but local import takes 3 minutes
- Issue with Group email address domain when create a new Microsoft 365 Group
- What is the URL for New Page in Azure DevOps Wiki? / How to bookmark New Page?
- Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault
- How do I configure my Bicep scripts to allow a container app to pull an image from an ACR using managed identity across subscriptions
- Azure DevOps. Can't trigger a pipeline in Repo A when a commit is done in repo B
- How to change the default Azure AI Search scoring to be increased when the whole search term is found exactly?
- List and download files in a folder in a blob with blob level SAS token
- How to change the Lease state of Azure Blob to Available
- unable to delete or move first step from logic app?
- Azure Terraform - Encrypt VM OS Disk
- How to temporary stop Azure API Management Service
- Unable to retrieve key vault certificates in azure runbook
- C#: 'A change set cannot include changes to more than '1' source resources' when adding a user To Group using Azure Graph API 2.0
- Set size limt to direct upload to azure blob storage via SAS URL
- Using AddAzureKeyVault makes my application 10 seconds slower
- PostGreSQL pg_dump psql and pg_restore errors with Azure Flexible SQL Server
- How to check signature of a token coming from Azure SSO
- How can I get error details from an if condition activity in Azure Data Factory?
- Getting a 404 for GET /robots933456.txt
- Given an Applications Insight Instrumentation key, get the name of the service in Azure
- How to specify rewrite url for query string parameters in Azure API Management
- Can a normal Azure Function and a Durable Azure Function coexist in the same Function App?
- TenantGuidNotFound when trying to send email using Microsfot GraphAPI
- Can't signin into microsoft account
- Azure Function App Kudu Functions API with empty response