Search code examples
deploymentazure-functionsgithub-actionsvnet

Github Action Deployment of Azure Function Without Public Access from All Networks


A question about Github Action Deploying Azure Function which is in VNet

I have:

  1. GitHub Repo + Action for deployment with Publish Profile
  2. Azure Function that is a part of the VNet/Subnet/NSG

--

Works: I am able to deploy the function only if I enable full public access for the function.

Need: I would like to restrict that so that I would not need to have public access for the deployment.

Problem: I am not able to allow Github Action on IP/Service whitelist or VNet

--

I do not really want a function to be publicly available all the time. Switching public access on and off for the deployment does not feel right.

Any suggestions?


Solution

  • After some writing back and forth with MS Azure Support we have got the answer:

    the ASP density is unhealthy so once the HealthCheck has to check it privately as opposed to publicly it's also able to see the state of the instances' minor problems and display them. Overall the ASP density isn't something that would affect the health of an app unless there's a lot of heavy apps running on it. That's why I recommended splitting the 12 apps that are on the original ASP and moving half under the new ASP which should help mitigate the occurrence you're seeing.

    As you're running an ASP with small instances the maximum recommended apps to run on it is 8 in order to keep a healthy environment and it doubles with every instance size (16 for Medium and 32 for Large).

    We are running 12 rather small Azure Function on the Flexible Premium Function service plan. Everything works as expected, it is only the health-checks that freak out because of the larger number of functions. I do not see us purchasing an additional ASP only to fix this issue, so we will be implementing our own health-check routine instead. Maybe we will merge some of the functions into 1 later on.