Search code examples
azure-functionsazure-storage

Deploy to Function App with Access Restrictions and vNet Integration

I am currently trying to deploy code from an Azure DevOps Repo to an Azure Function App which has active Access Restrictions for inbound traffic as well as vNet Integration regarding outbound traffic. Each function app is tied to a storage account. This storage account is only accessible from the exact vNet, the function app is integrated to.

Access Restrictions: I whitelisted the AzureDevOps service tag.

vNet Integration: The function app is vnet integrated. The function app's storage account is accessible only from the selected vNet.

subNet Configuration: Service endpoints for storage are enabled.

Network Security Group: The subnet inside the vnet is protected by a network security group.

Allowed inbound traffic:

  • AzureDevOps Service Tag

Allowed outbound traffic:

  • Storage Service Tag

I then use a build pipeline in Azure DevOps to publish the artifact (functionapp as .zip) and then proceed with a Release that downloads the Artifact and deploys it to a function app.

The deployment seems to work flawless:

2023-04-13T14:02:07.5017872Z ##[section]Starting: Azure Function App Deploy: FA-TST-xxx
2023-04-13T14:02:07.5148220Z ==============================================================================
2023-04-13T14:02:07.5148398Z Task         : Azure Functions Deploy
2023-04-13T14:02:07.5148471Z Description  : Update a function app with .NET, Python, JavaScript, PowerShell, Java based web applications
2023-04-13T14:02:07.5148597Z Version      : 2.219.0
2023-04-13T14:02:07.5148656Z Author       : Microsoft Corporation
2023-04-13T14:02:07.5148738Z Help         : https://aka.ms/azurefunctiontroubleshooting
2023-04-13T14:02:07.5148818Z ==============================================================================
2023-04-13T14:02:09.8559391Z Got service connection details for Azure App Service:'FA-TST-xxx'
2023-04-13T14:02:43.1629721Z (node:1428) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
2023-04-13T14:02:45.4392949Z NOTE: Function app is VNet integrated.
2023-04-13T14:02:50.5646873Z Trying to update App Service Application settings. Data: {"WEBSITE_RUN_FROM_PACKAGE":"1"}
2023-04-13T14:02:50.5647155Z Deleting App Service Application settings. Data: ["WEBSITE_RUN_FROM_ZIP"]
2023-04-13T14:02:50.5647620Z App Service Application settings are already present.
2023-04-13T14:02:51.8678122Z Validating deployment package for functions app before Zip Deploy
2023-04-13T14:02:52.4037017Z Package deployment using ZIP Deploy initiated.
2023-04-13T14:03:20.6923999Z Deploy logs can be viewed at https://fa-tst-xxx.scm.azurewebsites.net/api/deployments/4bc45377e91c44ca2e18c4451549c1e5/log
2023-04-13T14:03:20.6924440Z The web package has been deployed to App Service. Please note that the package mount or extraction errors will be logged in the deployment logs in the location above.
2023-04-13T14:03:20.6924780Z NOTE: Run From Package makes wwwroot read-only, so you will receive an error when writing files to this directory.
2023-04-13T14:03:24.2067507Z Successfully added release annotation to the Application Insight : AI-TST-xxx
2023-04-13T14:03:24.6058941Z App Service Application URL: https://fa-tst-xxx.azurewebsites.net
2023-04-13T14:03:24.6219120Z ##[section]Finishing: Azure Function App Deploy: FA-TST-xxx

Deployment logs also look fine to me:

[{"log_time":"2023-04-13T14:02:54.4683117Z","id":"1b1ed1bc-12c6-493f-be3f-3f0a1659c4e0","message":"Updating submodules.","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.5776418Z","id":"7e37471f-2272-4c07-b5e7-4ea17b4a8a4f","message":"Preparing deployment for commit id '4ec45877c9'.","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.827664Z","id":"2a19b2f9-0223-4a13-aa8a-618790ced6e4","message":"Skipping build. Project type: Run-From-Zip","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.9214344Z","id":"fa294e85-d78b-4f63-8de9-1ce1f1ee50ec","message":"Skipping post build. Project type: Run-From-Zip","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:55.01516Z","id":"6118ea98-86be-4323-beb3-b9e5bd0fcc5f","message":"Triggering recycle (preview mode disabled).","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:55.1558172Z","id":"16064a20-a8e2-4239-bbb3-3bd955624757","message":"Deployment successful.","type":0,"details_url":null}]

However, when I check the portal to list the functions, no changes are visible. Something went wrong with the deployment - but I am struggling to figure out what it is.

When I deactivate vNet Integration and allow access to my storage account from anywhere, deployment works like a charm. All functions are then visibile through the azure portal.

I also tried adding inbound NSG-rules for the subnet where the storage account resides:

  • AzureResourceManager Service Tag
  • AzureDevOps Service Tag
  • AppService Service Tag
  • AppServiceManagement Service Tag

Nothing worked. I am clueless how to fix this problem. Any ideas?

Solution

  • @AndrewDuffy Update: Today I once again tried to fix the issue only to realize that it no longer exists. I can now deploy code to a vnet integrated function app. I can't really tell you why this has changed but what I can do is share my configuration:

    under Function App Access Restrictions:

    I allowed service tags

    • AzureResourceManager

    under the Network Security Group that is assigned to the Function App/ASP Subnet:

    I allowed the following service Tags for inbound traffic

    • AzureDevOps
    • AzureResourceManager

    service tags for outbound traffic

    • Storage