Azure functions : Getting 403 error while accessing the storage account Azure functions : Getting 403 error while accessing the storage account azure azure

Azure functions : Getting 403 error while accessing the storage account


azure azure-functions azure-storage azure-storage-account

There're already some answers about this issue, you can see here and here.

In short, if the function and storage account are in same region, they communicate in an internal way without going through outboundIpAddresses.

The workaround is that create them in different regions.

azure azure-functions azure-storage azure-storage-account

In case anyone else is searching for this... I had a similar issue. I had a function app that I had created a private endpoint and regional VNet integration back with the VNet interacting with a Storage Account that also had a private endpoint with the same VNet. The Storage Account's network/firewall settings only allowed connections from the VNet (no external traffic allowed). Both the storage account and function app reside in the same region.

Attempt at fix #1 (not ideal):

I added code to determine what IP the function app was running from. That led me to add all of the IP's in the portal under function app --> Properties --> Additional Outbound IP Addresses. This is exposed by Terraform if using that.

Attempt at fix #2 (better):

The resolution is to ensure you have the proper function app settings set.

See: Microsoft documentation

SettingSuggested valueDescription
WEBSITE_CONTENTOVERVNET1Create this app setting. A value of 1 enables your function app to scale when your storage account is restricted to a virtual network.
WEBSITE_DNS_SERVER168.63.129.16Create this app setting. When your app integrates with a virtual network, it will use the same DNS server as the virtual network. Your function app needs this setting so it can work with Azure DNS private zones. It's required when you use private endpoints. This setting and WEBSITE_VNET_ROUTE_ALL will send all outbound calls from your app into your virtual network.
WEBSITE_VNET_ROUTE_ALL1Create this app setting. When your app integrates with a virtual network, it uses the same DNS server as the virtual network. Your function app needs this setting so it can work with Azure DNS private zones. It's required when you use private endpoints. This setting and WEBSITE_DNS_SERVER will send all outbound calls from your app into your virtual network.

Note: The 168.63.129.16 is a static value for Azure DNS.

After setting all of these, my function app was able to connect to the storage account through the VNet as expected.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last