Azure - how to create a persistent secure connection between function app and storage account, consumption plan
I am creating an API which runs off a Function App on Azure. This API communicates with a storage account (a secondary one, not the one created with the function app.) It is imperative that this storage account be as secured as possible.
I am new to Azure, but my initial thought would be to create a Virtual Network, with one subnet for the API which can take requests from any user on the internet, and a second subnet for the storage account that can only communicate with the API. The api would have a private endpoint to the storage account. I want only the API to be able to access that storage account. Or, use a service endpoint to communicate from the subnetted storage account to the API not in the VNET.
However, the Function App consumption plan does not support Virtual Network capabilities. I looked at the pricing model for B1, and that would cost at least 55 dollars a month. This is an api that most likely won't be called that much, and it's not worth the 55 a month yet. Maybe in the future I will go for it, but not now.
I was thinking just allow the function app through the firewall, but apparently the outbound IPs for the function app change sometimes, thus making it difficult to have a permanent connection between the two.
My function app works locally because I allow my home IP through the storage account firewall, and when i say the storage account is open to all IPs the function app works on the cloud, but once I put the firewall back up it stops working. Authentication is done via managed identities if that helps. The only issue I am having is the connectivity between the services, caused by the firewall.
Is it possible to connect these two services securely and persistently without a virtual network? Thanks in advance.
I do agree with @Charles Han that you can use Logic apps for this as an alternative to azure functions and follow below process to secure your connection:
Firstly, I have created a Storage account and created Containers and inserted blobs into it.
And then in Networking section I have selected Public network access Enabled from selected virtual networks and IP addresses Option and then I have saved it.
Then I have created a Logic apps as below and Created a Connection between Logic apps and Storage account as below:
Now to secure Connection, I have copied Connector outgoing IP addresses from Properties section of Logic apps as below:
Now I opened again Networking Section of Storage account and added IP address of Connector outgoing IP addresses as below and saved it.
By doing above process your connection is Secured.
Output:
References:
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages