Skip to content

Latest commit

 

History

History
76 lines (45 loc) · 5.31 KB

configure-networking-how-to.md

File metadata and controls

76 lines (45 loc) · 5.31 KB
title description ms.topic ms.date ms.custom
How to configure Azure Functions with a virtual network
Article that shows you how to perform certain virtual networking tasks for Azure Functions.
how-to
06/23/2023
template-how-to

How to configure Azure Functions with a virtual network

This article shows you how to perform tasks related to configuring your function app to connect to and run on a virtual network. For an in-depth tutorial on how to secure your storage account, refer to the Connect to a Virtual Network tutorial. To learn more about Azure Functions and networking, see Azure Functions networking options.

Restrict your storage account to a virtual network

When you create a function app, you either create a new storage account or link to an existing storage account. During function app creation, you can secure a new storage account behind a virtual network and integrate the function app with this network. At this time, you can't secure an existing storage account being used by your function app in the same way.

Note

Securing your storage account is supported for all tiers in both Dedicated (App Service) and Elastic Premium plans. Consumption plans currently don't support virtual networks.

For a list of all restrictions on storage accounts, see Storage account requirements.

During function app creation

You can create a new function app along with a new storage account secured behind a virtual network. The following links show you how to create these resources by using either the Azure portal or by using deployment templates:

Azure portal

Complete the following tutorial to create a new function app a secured storage account: Use private endpoints to integrate Azure Functions with a virtual network.

Deployment templates

Use Bicep or Azure Resource Manager (ARM) quickstart templates to create secured function app and storage account resources.

Existing function app

When you have an existing function app, you can't directly secure the storage account currently being used by the app. You must instead swap-out the existing storage account for a new, secured storage account.

To secure the storage for an existing function app:

  1. Choose a function app with a storage account that doesn't have service endpoints or private endpoints enabled.

  2. Enable virtual network integration for your function app.

  3. Create or configure a second storage account. This is going to be the secured storage account that your function app uses instead.

  4. Create a file share in the new storage account.

  5. Secure the new storage account in one of the following ways:

    • Create a private endpoint. When using private endpoint connections, the storage account must have private endpoints for the file and blob subresources. For Durable Functions, you must also make queue and table subresources accessible through private endpoints.

    • Enable a service endpoint from the virtual network. When using service endpoints, enable the subnet dedicated to your function apps for storage accounts on the firewall.

  6. Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share.

  7. Copy the connection string for this storage account.

  8. Update the Application Settings under Configuration for the function app to the following:

    Setting name Value Comment
    AzureWebJobsStorage Storage connection string This is the connection string for a secured storage account.
    WEBSITE_CONTENTAZUREFILECONNECTIONSTRING Storage connection string This is the connection string for a secured storage account. This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.
    WEBSITE_CONTENTSHARE File share The name of the file share created in the secured storage account where the project deployment files reside. This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.
    WEBSITE_CONTENTOVERVNET 1 A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network.

  9. Select Save to save the application settings. Changing app settings causes the app to restart.

After the function app restarts, it's now connected to a secured storage account.

Next steps

[!div class="nextstepaction"] Azure Functions networking options