Azure function 连接到 Azure Vnet 问题后的 Blob 存储

Question

We are currently migrating to a new Azure Subscription and are having issues executing Azure Functions that worked as expected in our old Azure Subscription. The man difference between our old Subscription and our new Subscription is that we have set up a Virtual Network with Subnets and have deployed our Resources behind the Subnets.

We have also had to migrate from an Azure App Service in the old Subscription to a Azure App Environment in the new Subscription.

Our Azure environment consist of:

App Service Environment

App Service Plan I1

The Azure App Environment and Storage Containers are on the same Virtual Network but different Sub Nets. The Function is using a Managed Identity which has Owner Role on Storage Account.

The code listed below worked just fine in our old environment which did not contain the Virtual Network, but fails in our new environment.

Any guidance would be greatly appreciated.

The Azure function which connects to Azure Storage works when run locally from Visual Studio 2019, but fails when run from Azure portal.

Code Snippet below:

This section works just fine:

     string storageConnectionString = XXXXConn.ConnectionETLFileContainer();//Get Storage connection string

                var myDirectory = "XXXX/Uploads"; ///XXXX-etl-file-ingest/ABSS/Uploads/                     CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnectionString);

                CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();// Create a CloudBlobClient object for credentialed access to Azure Blob.                                      CloudBlobContainer blobContainer = blobClient.GetContainerReference("XXXX-etl-blobfile-ingest");// Get a reference to the Blob Container we created previously.                                      CloudBlobDirectory blobDirectory = blobContainer.GetDirectoryReference(myDirectory);// Get a reference to the Blob Directory.

                var blobs = blobDirectory.ListBlobs(useFlatBlobListing: true); //set useFlatBlobListing as true 

This statement fails: Failure occurs when trying to iterate through the Blob files and get specific file info.

foreach (var myblob in blobs)

Answer 1

In the azure portal open storage account blade under that go to configuration blade, you will be able to see the list of networks for which your storage account has allowed access to.Once you have the allowed network list kindly check if the function app is on one of those networks if not then you need to get the network on which your function app is hosted added to the list.

Answer 2

Update 2:
The simplest explanation/cause that I found is when an App Service or Function App has the setting WEBSITE_VNET_ROUTE_ALL set to 1 , all traffic to public endpoints is blocked. So if your Storage Account has no private endpoint configured, requests to it will fail.

Docs: "To block traffic to public addresses, you must have the application setting WEBSITE_VNET_ROUTE_ALL set to 1."
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet.network-security-groups

Update 1:
My answer below was only a workaround for my problem. Turns out I did not link the Private DNS Zone (this is created for you when you create a new Private Endpoint) to my VNET.

To do this, go to your Private DNS Zone in the Azure Portal and click on Virtual network links in the left menu bar. There add a new link to the VNET your Function is integrated in.

This may not have been relevant for the OP, but hopefully it will help others.

---

Original answer:
In my case this was solved by enabling the Microsoft.Storage Service Endpoint on the App Service's subnet (dedicated subnet).

Answer 3

Check Azure Container Apps Virtual Network Integration Announced 2022-02-02

https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932